b'Office of Audits and Evaluations\nReport No. EVAL-14-003\n\n\nThe FDIC\xe2\x80\x99s Personnel Security and\nSuitability Program\n\n\n\n\n                                   August 2014\n\x0c                                     Executive Summary\n\n                                     The FDIC\xe2\x80\x99s Personnel Security and\n                                     Suitability Program\n                                                                                    Report No. EVAL-14-003\n                                                                                                August 2014\nWhy We Did The Evaluation\n\nThe FDIC\xe2\x80\x99s Personnel Security and Suitability Program (PSSP) is designed to ensure that the Corporation\nemploys and retains only those persons who meet all federal requirements for suitability (i.e., character,\nreputation, honesty, integrity, trustworthiness) and whose employment or conduct would not jeopardize\nthe accomplishment of the Corporation\xe2\x80\x99s duties or responsibilities. A high-quality program is essential to\nminimizing the risks of unauthorized disclosures of sensitive information and to helping ensure that\ninformation about individuals with criminal activity or other questionable behavior is identified and\nassessed as part of the process for granting or retaining clearances. Further, potential missed red flags in\nthe backgrounds of individuals who have recently committed serious crimes have brought renewed public\nand Congressional attention to the criticality and quality of background checks.\n\nAn Office of Personnel Management Federal Investigative Services (OPM-FIS) review of the FDIC\xe2\x80\x99s\npersonnel security and suitability program completed in April 2013, primarily covering calendar year\n2011, made 11 recommendations for the FDIC to improve its program. In addition, an OIG contract audit\ncompleted in 2012 and an OIG audit of controls related to safeguarding sensitive information started in\n2013 identified deficiencies in the performance of background investigations for contractors and\nemployees, respectively. In 2013, the FDIC implemented all 11 OPM-FIS recommendations and\ncorrected the deficiencies identified in both OIG audits.\n\nOur objective was to determine whether the FDIC is carrying out its PSSP efficiently and effectively. We\nevaluated (1) FDIC management\xe2\x80\x99s overall administration of the program, including the extent to which\napplicable policies and procedures are in place and being followed; (2) oversight and administration of\nthe contract supporting the program; and (3) the nature, extent, allowability, and reasonableness of costs\nincurred under the contract supporting the program. We engaged BDO USA, LLP to complete tasks\ndetailed in an evaluation program that we developed and approved, provide technical guidance and\nanalytical assistance, and assist in our reporting of evaluation results. Our review covered the period from\nJanuary 2011 through July 2013.\n\nBackground\n\nThe authority for determining suitability for federal employment in the competitive service is vested in\n5 U.S.C. 3301, 3302, and 7301; Executive Order (E.O.) 10577, as amended by E.O. 12107; and 5 C.F.R.\nParts 5, 731, and 736. Applicants, appointees, and employees are also subject to mandatory bars outlined\nin 12 C.F.R. Part 336, Minimum Standards of Fitness for Employment with the Federal Deposit Insurance\nCorporation. The FDIC primarily ensures the suitability of its employees and contractors and that the\nminimum standards of fitness and employment are met through the background investigations process.\n\nThe FDIC\xe2\x80\x99s Security and Emergency Preparedness Section (SEPS) within the Corporate Services Branch\n(CSB) in the Division of Administration (DOA) receives, assesses, processes, and adjudicates personnel\nsecurity and suitability cases for all FDIC employees, contractors, and subcontractors. The FDIC relies\nheavily on a contractor for performing background investigation functions and providing personnel\nsuitability support. The Corporation uses the OPM-FIS to conduct background investigations based on\nthe risk level designation for the position the FDIC is filling.\n\n\n\n\n                                                     i\n\x0c                                    The FDIC\xe2\x80\x99s Personnel Security and\n    Executive Summary               Suitability Program\n                                                                                   Report No. EVAL-14-003\n                                                                                               August 2014\n\nEvaluation Results\n\nDuring our evaluation, the PSSP was in a state of transition and various aspects of the program were\nevolving and being improved. In furtherance of those efforts, the FDIC could strengthen controls in the\nfollowing areas.\n\nOverall Program Administration. Most preliminary clearance and adjudication determinations we\nreviewed were completed appropriately. However, we questioned a number of decisions and found that\nsome decisions lacked support; not all background investigations performed were commensurate with a\nposition\xe2\x80\x99s risk level designation; some background investigations were not timely; and many\ninvestigation case files were missing key documentation. We concluded that our test results could be\nattributed to weaknesses in policies and procedures, and management resource issues such as continuity\nand span of control. SEPS indicated that it made a number of program changes following our testing\nperiod and realized meaningful program improvements in late 2013 and early 2014, such as:\n\n\xef\x82\xb7    Eliminating case backlogs, thereby reducing processing times, both on the front-end for background\n     investigation submissions to OPM and the back-end for completed case adjudications;\n\xef\x82\xb7    Implementing the use of OPM\xe2\x80\x99s e-QIP system for electronic submission of background investigation\n     questionnaires for all employees and contractors to reduce case review time and processing errors;\n\xef\x82\xb7    Reviewing all FDIC position descriptions to ensure they had appropriate position sensitivity\n     determinations;\n\xef\x82\xb7    Instituting a periodic reinvestigation program for incumbent federal staff in moderate risk positions;\n\xef\x82\xb7    Increasing security support contract staffing levels with experienced adjudicators and security\n     assistants, a more experienced senior project manager, and other positions; and\n\xef\x82\xb7    Reorganizing SEPS and hiring an experienced Security Operations Unit manager to provide day-to-\n     day supervision and management of the security support contract and federal staff.\n\nSEPS also began an effort to digitize background investigation files and automate the PSSP process\nthrough an enterprise content management platform, known as the Personnel Security Records\n(PERSEREC) project. This effort is intended to improve records management, program efficiency, and\nperformance reporting.\n\nContract Oversight. Most contractor charges that we reviewed were supportable and contract\nmodifications were appropriately executed. However, we identified a few exceptions related to contractor\novertime hours, labor category mix, the timely signature of modifications, and written approvals for key\npersonnel changes. Further, while we determined that most contractor staff met minimum qualifications,\nwe identified two staff that did not. Finally, we concluded that contract oversight could be strengthened\nby SEPS establishing better criteria for measuring contractor production and performance. SEPS\ndeveloped weekly performance metrics, including contractor metrics, in May 2013. Implementation of\nthe PERSEREC project should help to improve the reliability of underlying performance metric data and\nautomate and enhance performance reporting.\n\nRecords Management. Records management controls over PSSP files, which include extensive amounts\nof sensitive personally identifiable information (PII), needed improvement. These weaknesses create\ninefficiency and present risks to the FDIC, including the potential for unauthorized release and access to\nlarge volumes of PII, and the PSSP team\xe2\x80\x99s inability to respond to inquiries or readily locate\n\n\n                                                    ii\n\x0c                                   The FDIC\xe2\x80\x99s Personnel Security and\n  Executive Summary                Suitability Program\n                                                                                 Report No. EVAL-14-003\n                                                                                             August 2014\n\ndocumentation supporting background investigation determinations. The transition to PERSEREC should\nmitigate these weaknesses and inefficiencies.\n\nInformation Systems. Data we reviewed in the DOA systems used to capture preliminary clearance data\nand provide management reporting\xe2\x80\x94the Background Investigation Review Tracking (BIRT) System and\nthe Corporate Human Resources Information System (CHRIS)\xe2\x80\x94were not reliable and, in some cases,\nredundant. SEPS officials indicated that once PERSEREC is fully operational, BIRT will be retired.\nSEPS also expects to implement a business process management system in 2015 that will integrate with\nPERSEREC, CHRIS, and OPM systems to automatically update background investigation case\ninformation and track the status of cases. SEPS will need to ensure that it builds adequate workflow\nprocess controls into the automation effort to address the weaknesses noted in this report.\n\nAs we completed our testing, it was too early to fully assess the effectiveness of SEPS\xe2\x80\x99 operational\nimprovements, hiring of new management and key staff, and ongoing and planned automation efforts.\nNevertheless, we considered those efforts in forming our recommendations.\n\nRecommendations\n\nThe report contains 10 recommendations intended to complement ongoing PSSP program improvements\nand to strengthen and sustain associated policies, procedures, and controls.\n\nThe Director, DOA, provided a written response dated July 24, 2014, to a draft of this report. In the\nresponse, the Director, DOA, concurred with the report\xe2\x80\x99s 10 recommendations. The response described\nimprovements to the PSSP that were occurring during and after the scope of this review and outlined\ncorrective actions that were responsive to the recommendations. DOA has already taken steps that we\nconfirmed were sufficient to close three of the recommendations.\n\n\n\n\n                                                   iii\n\x0c                                   Contents\n\n                                                                          Page\nBackground                                                                  2\n\nEvaluation Results                                                          4\n\n   Overall Administration of the PSSP                                       4\n       Preliminary Clearance and Adjudication Determinations                4\n       Extent to Which Background Investigations Were Commensurate with\n           Risk Level Designations                                          6\n       Timeliness of Background Investigation Processes                     7\n       Documentation Maintained in Investigation Case Files                10\n       PSSP Policies and Procedures                                        11\n       Management Oversight of the PSSP                                    11\n       Program Changes and Improvements                                    13\n       Recommendations                                                     14\n\n   Contractor Performance and Oversight                                    14\n       Recommendations                                                     17\n\n   Records Management Controls                                             18\n       Recommendations                                                     20\n\n   Information Systems Reliability and Controls                            20\n        Recommendation                                                     22\n\n   Digitization and Automation Efforts                                     23\n        Recommendations                                                    24\n\nCorporation Comments and OIG Evaluation                                    24\n\n\nAppendices\n  1. Objective, Scope, and Methodology                                     25\n  2. Sampling Methodology                                                  28\n  3. Questioned or Unsupported Preliminary Clearance or Adjudication\n      Decisions                                                            31\n  4. Glossary                                                              33\n  5. Acronyms and Abbreviations                                            37\n  6. Corporation Comments                                                  38\n  7. Summary of the Corporation\xe2\x80\x99s Corrective Actions                       46\n\x0c                                   Contents\n\n                                                                         Page\nTables\n   1.  Background Investigations Performed Below PSA Form Risk Rating      7\n   2.  PSA Forms Not Included in File                                      7\n   3.  Investigations Not Submitted to OPM Within 14 Days                  8\n   4.  Forms 79A Not Sent to OPM Within 90 Days                            9\n   5.  National Security Cases Not Adjudicated Within 20 Days              9\n   6.  Contractor Preliminary Approvals Not Completed Within 5 Days        9\n   7.  Files With Incomplete Summary Sheet Documentation                  10\n   8.  Files Missing Documents                                            11\n   9.  BIRT Records with Missing or Erroneous Data                        21\n   10. CHRIS Records with Missing or Erroneous Data                       21\n   11. Background Investigations Processed, January 1, 2011 \xe2\x80\x93 July 31,    26\n       2013\n   12. Sampled Files by Type of Investigation                             29\n   13. Sampled Files by Adjudication Result                               29\n   14. Sampled Files by OPM Issue Indicator                               29\n\n\nFigures\n   1. SEPS New Organizational Structure                                   13\n   2. PSSP Support Contractor Staff Organizational Structure              15\n\x0cFederal Deposit Insurance Corporation                                                       Office of Audits and Evaluations\n3501 Fairfax Drive, Arlington, VA 22226                                                          Office of Inspector General\n\n\n\nDATE:                                     August 7, 2014\n\nMEMORANDUM TO:                            Arleas Upton Kea\n                                          Director, Division of Administration\n\n\n                                          /signed/\nFROM:                                     Stephen M. Beard\n                                          Deputy Inspector General for Audits and Evaluations\n\nSUBJECT:                                  The FDIC\xe2\x80\x99s Personnel Security and Suitability Program\n                                          (Report No. EVAL-14-003)\n\n\nThis report presents the results of our subject evaluation. The FDIC\xe2\x80\x99s Personnel Security and\nSuitability Program1 (PSSP) is designed to ensure that the Corporation employs and retains only\nthose persons who meet all federal requirements for suitability (i.e., character, reputation,\nhonesty, integrity, trustworthiness) and whose employment or conduct would not jeopardize the\naccomplishment of the Corporation\xe2\x80\x99s duties or responsibilities. A high-quality program is\nessential to minimizing the risks of unauthorized disclosures of sensitive information and to\nhelping ensure that information about individuals with criminal activity or other questionable\nbehavior is identified and assessed as part of the process for granting or retaining clearances.\n\n\nObjective and Approach\nOur objective was to determine whether the FDIC is carrying out its PSSP efficiently and\neffectively. To fulfill this objective, we evaluated (1) FDIC management\xe2\x80\x99s overall\nadministration of the program, including the extent to which applicable policies and procedures\nare in place and being followed; (2) oversight and administration of the contract supporting the\nprogram; and (3) the nature, extent, allowability, and reasonableness of costs incurred under the\ncontract supporting the program.\n\nWe conducted this evaluation in accordance with the Council of the Inspectors General on\nIntegrity and Efficiency\xe2\x80\x99s Quality Standards for Inspection and Evaluation. We engaged BDO\nUSA, LLP to support the Office of Inspector General (OIG) by completing tasks detailed in an\nOIG-developed and approved evaluation program, providing technical guidance and analytical\nassistance throughout the assignment, and assisting the OIG in reporting the evaluation results.\n\nTo evaluate the FDIC\xe2\x80\x99s overall administration of the program, we first gained an understanding\nof program requirements by reviewing applicable laws and regulations. We then reviewed\n\n1\n    Terms that are underlined when first used in the report are defined in Appendix 4, Glossary.\n\x0crelevant FDIC policies and procedures, interviewed program officials, and observed how FDIC\nprocessed background investigations and handled background investigation files. Next we\nreviewed a non-statistical sample of 108 background investigation files undergoing preliminary\nclearance or adjudication between January 1, 2011 and July 31, 2013.2 In selecting our sample,\nwe stratified the population to select a representative sample based on type of employment,\ninvestigation type, adjudication determination, and Office of Personnel Management (OPM) risk\ndesignation. We assessed program administration through a review of file documentation,\napprovals, and adjudication decisions for the 108 background investigation files sampled.\n\nWe assessed contractor administration and oversight by reviewing the contractor\xe2\x80\x99s day-to-day\noperations and deliverables, as well as the roles of Security and Emergency Preparedness Section\n(SEPS) employees and the PSSP support contractor staff (collectively the PSSP Team). We\nassessed contractor costs by reviewing contractor invoices for reasonableness and accuracy.\nAppendix 1 provides additional details on our objective, scope, and methodology and\nAppendix 2 discusses the sampling methodology used for this evaluation.\n\n\nBackground\nThe authority for determining suitability for federal employment in the competitive service is\nvested in 5 United States Code (U.S.C.) 3301, 3302, and 7301; Executive Order (E.O.) 10577, as\namended by E.O. 12107; and 5 Code of Federal Regulation (C.F.R.) Parts 5, 731, and 736.\nApplicants, appointees, and employees are also subject to mandatory bars outlined in 12 C.F.R.\nPart 336, Minimum Standards of Fitness for Employment with the Federal Deposit Insurance\nCorporation, which prohibits any person from becoming employed or providing service to, or on\nbehalf of, the FDIC who has:\n\n       \xef\x82\xb7   been convicted of any felony;\n       \xef\x82\xb7   been removed from or prohibited from participating in the affairs of any insured\n           depository institution pursuant to any final enforcement action by any appropriate Federal\n           banking agency;\n       \xef\x82\xb7   demonstrated a pattern or practice of defalcation regarding obligations to insured\n           depository institutions; or\n       \xef\x82\xb7   caused a substantial loss, in an amount in excess of $50,000, to federal deposit insurance\n           funds.\n\nFDIC Circular 2120.1, Personnel Suitability Program, establishes the responsibilities, policy\nrequirements, and procedures for the Corporation\'s Personnel Suitability Program. The\nprovisions of this circular apply to all FDIC employees, appointees, and applicants for\nemployment. Requirements related to FDIC contractors and subcontractors may be found in\nFDIC Circular 1610.2, Security Policy and Procedures for FDIC Contractors, while those\nrelated to FDIC national security positions may be found in FDIC Circular 1600.3, National\nSecurity Program.\n\n2\n    The results of a non-statistical sample cannot be projected to the intended population.\n\n\n\n                                                             2\n\x0cThe FDIC primarily ensures the suitability of its employees and contractors and that the\nminimum standards of fitness for employment are met through the background investigations\nprocess. This process generally includes a risk designation, application submission,\ninvestigation, and adjudication. Specifically, division and office directors complete risk\ndesignations for positions and ensure that the designations accurately reflect the risk posed to the\nCorporation. These designations include consideration of the extent to which the position\nrequires access to sensitive data. After an individual has been selected for a position that\nrequires a personnel security clearance and the individual submits an application for a clearance,\na background investigation is conducted commensurate with the risk designation. Adjudicators\nuse the information from these investigations to determine whether an applicant is eligible for a\nclearance.\n\nThe FDIC\xe2\x80\x99s SEPS within the Corporate Services Branch (CSB) in the Division of\nAdministration (DOA) receives, assesses, processes, and adjudicates personnel security and\nsuitability cases for all FDIC employees, contractors, and subcontractors. The FDIC uses the\nOffice of Personnel Management Federal Investigative Services (OPM-FIS) to conduct\nbackground investigations. As detailed in Appendix 1, Objective, Scope, and Methodology,\nPSSP processed 6,907 background investigations for FDIC employees and contractors from\nJanuary 1, 2011 through July 31, 2013, the period covered by our review.\n\nThe OIG has not reviewed the PSSP since 2001. However, an OIG contract audit completed in\n20123 and an OIG audit of controls related to safeguarding sensitive information started in 20134\nidentified deficiencies in the performance of background investigations for contractors and\nemployees, respectively. The FDIC implemented actions to address the deficiencies identified in\nboth OIG audits.\n\nOPM-FIS reviewed the FDIC\xe2\x80\x99s PSSP, primarily covering calendar year 2011. OPM-FIS\xe2\x80\x99s April\n2013 report made 11 recommendations for the FDIC to improve the PSSP. The OPM-FIS\nprogram evaluation confirmed that the FDIC was validating the need for an investigation through\nOPM\xe2\x80\x99s Central Verification System (CVS).5 However, the review found that the FDIC needed\nto improve, and made recommendations for:\n\n    \xef\x82\xb7   Calculating accurate annual investigation projections,\n    \xef\x82\xb7   Using the Electronic Questionnaires for Investigations Processing (e-QIP) system,\n    \xef\x82\xb7   Reporting adjudication determinations to OPM,\n    \xef\x82\xb7   Making timely adjudication decisions,\n\n3\n  FDIC OIG Report No. AUD-12-010, Controls Related to the FDIC\xe2\x80\x99s Contract with KeyCorp Real Estate Capital\nMarkets, Inc., dated July 3, 2012.\n4\n  FDIC OIG Report No. AUD-14-008, The FDIC\xe2\x80\x99s Controls for Safeguarding Sensitive Information in Resolution\nPlans Submitted Under the Dodd-Frank Act, dated July 3, 2014.\n5\n  This is a suitability and security automation performance goal that OPM monitors and reports to the Performance\nAccountability Council established by E.O. 13467, dated June 30, 2008, Reforming Processes Related to Suitability\nfor Government Employment, Fitness for Contractor Employees, and Eligibility for Access to Classified National\nSecurity Information.\n\n\n\n                                                        3\n\x0c   \xef\x82\xb7   Sharing CVS data monthly with OPM,\n   \xef\x82\xb7   Appropriately designating position risk and sensitivity, and\n   \xef\x82\xb7   Requesting correct investigations and reinvestigations.\n\nIn 2013 the FDIC took action to address each of OPM\xe2\x80\x99s recommendations.\n\n\nEvaluation Results\nDuring our evaluation, the PSSP was in a state of transition and various aspects of the program\nwere evolving and being improved. In furtherance of those efforts, the FDIC could strengthen\ncontrols in the following areas:\n\n   \xef\x82\xb7   Overall Program Administration\n   \xef\x82\xb7   Contract Oversight\n   \xef\x82\xb7   Records Management\n   \xef\x82\xb7   Information Systems\n\nTo that end, we are making 10 recommendations to enhance the FDIC\xe2\x80\x99s PSSP.\n\nOur testing covered the period January 1, 2011 through July 31, 2013. As a result, it was too\nearly for us to evaluate the effectiveness of certain operational improvements and the hiring of\nnew management and key staff aimed at strengthening the PSSP. Nevertheless, we did consider\nthose efforts in forming our recommendations. In that regard, during our evaluation, SEPS\nbegan an effort to digitize background investigation files and automate the PSSP process through\nan enterprise content management platform. This initiative is intended to improve records\nmanagement and operational efficiency. SEPS has also indicated it is being mindful of building\nadequate workflow process controls into the automation effort to address issues noted in this\nreport.\n\n\nOverall Administration of the PSSP\nWhile we concluded that most preliminary clearance and adjudication determinations were\ncompleted appropriately, we questioned a number of decisions and found some decisions lacked\nsupport, not all background investigations performed were commensurate with a position\xe2\x80\x99s risk\nlevel designation, some background investigations were not timely, and many investigation case\nfiles were missing key documentation. SEPS indicated that, following our testing period,\nperformance in some of these areas improved significantly.\n\nPreliminary Clearance and Adjudication Determinations\n\nWe concluded that most preliminary clearance and adjudication decisions were consistent with\nfederal and FDIC suitability requirements based on information contained in investigation case\nfiles. Still, we identified eight files (7 percent) where we questioned preliminary clearance or\nadjudication determinations or found that decisions lacked support. Further, 52 percent of the\n\n\n                                                4\n\x0cfiles we tested did not contain key documents used to support preliminary clearance or\nadjudication decisions, or both.\n\nThe PSSP review has two key decision milestones: preliminary clearance and adjudication. The\nPSSP team conducts the preliminary clearance assessment to determine compliance with\nFDIC-specific suitability criteria, including criminal and financial history. The Preliminary\nBackground Checklist should document and support preliminary clearance decisions and\napprovals. Once an applicant is approved through the preliminary clearance process, the\napplicant is eligible to begin work for the FDIC.\n\nApplicants that are preliminarily cleared will then undergo an OPM investigation based on the\nrisk designation for the position. OPM returns its investigation to the PSSP team for final\nadjudication. The adjudication decision, FDIC approval, and related support are documented on\nthe Personnel Investigation Summary. If an applicant has received a previous favorable\nadjudication that falls within acceptable timing and risk parameters, then the FDIC may rely\nupon the prior investigation and not require a new investigation. This process is known as\nreciprocity.\n\nWe tested our sample of 108 files to assess whether preliminary clearance and adjudication\ndecisions were consistent with federal and FDIC suitability requirements based on information\navailable in the case files. Our testing found eight files (7 percent) where we questioned the\npreliminary clearance or adjudication decisions or found such decisions lacked support, as\nfollows.\n\n    \xef\x82\xb7    In two cases, we concluded that PSSP\xe2\x80\x99s reliance on a prior background investigation\n         (reciprocity) was incorrect,\n    \xef\x82\xb7    In two cases, we concluded that PSSP\xe2\x80\x99s decision to preliminarily clear two staff was\n         based on incomplete or incorrect information, and\n    \xef\x82\xb7    In four cases, the background investigation files did not include sufficient support for\n         reciprocity, preliminary clearance, or adjudication decisions.\n\nWe provided the SEPS Assistant Director with additional details for each of the eight cases,\nwhich are summarized in Appendix 3. He concurred with our conclusions and acknowledged\nthat the FDIC should establish a consistent practice on how it should handle individuals who\nexperienced probation before judgment based on one of the cases we identified. None of the\nindividuals associated with these cases remains employed by, or under contract with, the FDIC.\n\nLegal Division Review. PSSP refers files with potential suitability issues to the FDIC\xe2\x80\x99s Legal\nDivision for additional review.6 Through our review of files, we identified 18 with potential\nsuitability issues and tested them to ensure they were sent to the Legal Division for review and\nthat the Legal Division\xe2\x80\x99s decision was sufficiently documented. Of the 18 files tested, 3 files (17\npercent) were not sent to the Legal Division, and 2 files (11 percent) did not clearly document\n\n6\n  Suitability issues could involve many situations, since each applicant situation is unique. Among other things,\nsuitability issues could involve financial matters, such as bankruptcy; criminal records; or lack of integrity, such as\nlying on an application or not disclosing complete information.\n\n\n\n                                                           5\n\x0cthe Legal Division\xe2\x80\x99s decision. The PSSP team explained that there is not a formal policy or\nconsistent practice regarding when files should be sent to the Legal Division for review. Some\nSEPS employees told us they make that determination on a case-by-case basis, while others\nsuggested that all files involving bankruptcies and felonies should be sent to the Legal Division.\nWe concluded that SEPS should clarify its policies regarding specifically when files should be\nsent to the Legal Division for review.\n\nDocumentation. We tested all 108 files for key documents and approvals related to preliminary\nclearance and adjudication. This testing included reviews of the Preliminary Background\nChecklist and Personnel Investigation Summary, which are the key documents for preliminary\nclearance and final adjudication decisions, respectively. Of the 102 files7 applicable in the\nsample, 55 (54 percent) were missing the Preliminary Background Checklist for preliminary\nclearance. Although the checklist was missing, we determined that these 55 files, in substance,\nwere preliminarily cleared appropriately. Of the 84 files in our sample that reflected screening\nwork through adjudication, 4 files (5 percent) were missing the Personnel Investigation\nSummary for adjudication or did not have the appropriate FDIC approval. We concluded,\nhowever, that these four files were adjudicated appropriately. By not having the necessary\nassessment forms included in the file and appropriately approved, the FDIC cannot readily\nsupport its preliminary clearance and adjudication decisions.\n\nExtent to Which Background Investigations Were Commensurate with Risk Level\nDesignations\n\nWe tested all 108 files to ensure that the type of background investigation performed matched\nthe risk level on the Personnel Security Action (PSA) form completed by the applicant\xe2\x80\x99s hiring\nmanager. One of the key purposes of the PSA form is to identify the risk sensitivity of the\napplicant\xe2\x80\x99s position within FDIC so the PSSP team can complete the appropriate investigation.\nThe hiring manager completes the PSA form for all new employees and contractors. The\nposition risk is assessed at high, medium, or low as determined by the position\'s potential for\nadverse impact to the efficiency or integrity of the service, based on OPM\xe2\x80\x99s Position Designation\nSystem.8\n\nPerforming the appropriate level of background investigation on employees and contractors is\ncritical to ensure that the FDIC is in compliance with its own policies and OPM requirements.\nTypically, lower level reviews address shorter periods of the applicant\xe2\x80\x99s background.\nDerogatory information from earlier periods could potentially be missed in lower level\ninvestigations, which puts the FDIC at risk to favorably adjudicate an applicant with potential\nsuitability issues.\n\nOf the 108 files we reviewed, 23 files (21 percent) indicated the level of background\ninvestigation conducted was lower than the required investigation type based on the risk level\ndesignated on the PSA form. Additionally, 44 files (41 percent) did not have the PSA form in\n\n\n7\n    This was not applicable to all 108 files because reinvestigations do not go through preliminary clearance reviews.\n8\n    FDIC Circulars also refer to this as the Risk Designation System.\n\n\n\n                                                            6\n\x0cthe file, so we were unable to verify that the FDIC had conducted the appropriate level of\ninvestigation.\n\nTable 1: Background Investigations Performed Below PSA Form Risk Rating\n                                 Files                                       Exceptions by Year\n                Tested      Exceptions       Percentage         2011           2012      Through July 2013\nContractor        58            15              26%              6%            33%              35%\nEmployee          50            8               16%             25%            14%              0%\n\nTotal             108            23              21%             16%            24%                  23%\nSource: OIG analysis of background investigation files.\n\nTable 2: PSA Forms Not Included in File\n                                 Files                                       Exceptions by Year\n               Tested      Exceptions        Percentage          2011         2012      Through July 2013\nContractor       58            17               29%              65%           13%              18%\nEmployee         50            27               54%              55%           57%              44%\n\nTotal            108            44               41%             59%            33%                  27%\nSource: OIG analysis of background investigation files.\n\nWe found similar issues in our 2012 audit of the Controls Related to the FDIC\xe2\x80\x99s Contract with\nKeyCorp Real Estate Capital Markets, Inc. The audit found that, as of May 2012, the contract\nrisk level designation was \xe2\x80\x9chigh,\xe2\x80\x9d but none of the background investigations for a sample of\ncontractor personnel were conducted at a commensurate level. During our current evaluation,\n10 of the 23 files we identified as having lower reviews than designated on the PSA form\noccurred after that May 2012 finding.\n\nThe SEPS Assistant Director told us that, in December 2013, SEPS completed a review of all\nFDIC position descriptions to validate position sensitivity levels using OPM\xe2\x80\x99s automated\nPosition Designation Tool. The review determined that 26 percent of existing position\ndescriptions were incorrectly designated either lower or higher than determined using the\nPosition Designation Tool. SEPS initiated work with DOA\xe2\x80\x99s Human Resources Branch to\ncorrect discrepancies and request appropriate scope background investigations for those\nincumbent employees.\n\nTimeliness of Background Investigation Processes\n\nOur evaluation assessed PSSP performance with respect to key OPM and FDIC metrics related\nto requests for investigation, reporting of agency adjudicative actions to OPM, adjudication of\nNational Security9 cases, and the preliminary approval of contractors, as follows:\n\nRequest for Investigation. OPM requires that Federal departments and agencies request\ninvestigations within 14 days of an applicant\xe2\x80\x99s certification of the Application for Public Trust\n\n9\n National Security positions involve activities of the government that are concerned with protecting the nation from\nforeign aggression or espionage and that require regular use of, or access to, Classified National Security\nInformation, per FDIC Circular 1600.3, National Security Program.\n\n\n\n                                                          7\n\x0cPositions form or the electronic equivalent, OPM\xe2\x80\x99s e-QIP. We tested the 82 applicable files\nsubmitted to OPM for investigation10 by comparing the applicant\xe2\x80\x99s certification date to the date\nOPM scheduled the subject\xe2\x80\x99s investigation and found that PSSP requested investigations for\n74 files (90 percent) in excess of 14 days. Submission times for files that exceeded the 14-day\nmetric ranged from 15 to 557 days, with a median of 59 days. Our testing results were consistent\nwith the OPM-FIS program review that found 86 percent of cases were submitted in excess of\n14 days in 2011. SEPS internal performance metrics showed marked improvement in the fourth\nquarter of calendar year 2013. Further, SEPS management advised the OIG, but we did not\nconfirm as part of this evaluation, that as of March 2014, SEPS was meeting the 14-day criteria\nto submit investigations to OPM. SEPS also indicated that the FDIC had mandated the use of\nOPM\xe2\x80\x99s e-QIP system for the electronic submission of all background investigation\nquestionnaires.\n\nTable 3: Investigations Not Submitted to OPM Within 14 Days\n                                       Files                                        Exceptions by Year\n                    Tested        Exceptions        Percentage           2011         2012     Through July 2013\nContractor            39              31                79%               88%          75%            82%\nEmployee              43              43               100%              100%         100%           100%\n\nTotal                  82              74                90%              96%           87%          89%\nSource: OIG analysis of background investigation files.\n\nReport of Agency Adjudicative Action. OPM requires federal departments and agencies to\nreport adjudication outcomes to OPM through paper or electronic Forms 79A, Report of Agency\nAdjudicative Action, as soon as possible, and no later than 90 days after receiving the\ninvestigation from OPM. OPM-FIS tested this metric in its program review and found that the\naverage return time was 242 days. In addition, OPM-FIS noted 343 instances (25 percent of\ninvestigations completed within the program review scope) where investigations had been\ncompleted for more than 90 days but PSSP had never returned the Form 79A to OPM.\n\nFor the 89 files we tested where a Form 79A was submitted to OPM,11 we found that the PSSP\nteam submitted 43 forms (48 percent) to OPM in excess of 90 days. Submission times for forms\nthat exceed the 90-day goal ranged from 93 to 477 days with a median of 224 days. We also\nidentified files in which a Form 79A was never submitted. Of the files we tested, the FDIC\nimproved its submission timeliness each year, significantly in 2013 compared to 2011. In\naddition, the SEPS Assistant Director advised the OIG that he implemented new procedures in\n2014 that should further improve timeliness.\n\n\n\n\n10\n     This test was not applicable to all files due to reciprocity.\n11\n     This was not applicable for all files because not all files went through adjudication.\n\n\n\n                                                               8\n\x0cTable 4: Forms 79A Not Sent to OPM Within 90 Days\n                                 Files                                     Exceptions by Year\n                Tested     Exceptions        Percentage          2011       2012     Through July 2013\nContractor        43           14               33%              50%        30%             23%\nEmployee          46           29               63%              85%        56%             25%\n\nTotal              89            43              48%             73%          42%                24%\nSource: OIG analysis of background investigation files.\n\nNational Security Reviews. The Intelligence Reform and Terrorism Prevention Act (IRTPA)\nestablished standards for adjudicative timeliness for National Security reviews. Agencies have a\ngoal to adjudicate the fastest 90 percent of initial security clearance investigations in an average\nof 20 days. We tested six National Security cases in our sample.12 Two files (33 percent) were\nadjudicated within the 20-day period. The four files that exceeded the 20-day goal had\nadjudication ranges of 24-224 days with a median of 133 days. The OPM-FIS program review\nalso tested this metric. OPM-FIS identified 20 National Security investigations in its review, and\nfound the 90 percent fastest adjudicated investigations took an average of 151 days. SEPS\ninternal performance metrics showed marked improvement in the fourth quarter of calendar year\n2013. Further, management advised the OIG, but we did not confirm as part of this evaluation,\nthat as of March 2014, SEPS was adjudicating national security cases within an average of\n10 days.\n\nTable 5: National Security Cases Not Adjudicated Within 20 Days\n                                 Files                                     Exceptions by Year\n                Tested     Exceptions        Percentage         2011        2012     Through July 2013\nContractor        3            2                67%             100%         0%            100%\nEmployee          3            2                67%              0%         50%            100%\n\nTotal              6             4               67%            100%          33%                100%\nSource: OIG analysis of background investigation files.\n\nContractor Preliminary Approvals. Per FDIC Circular 1610.2, Personnel Security Policy and\nProcedures for FDIC Contractors, the preliminary approval process should take about 3 to 5\nbusiness days to complete once the PSSP team receives all of the required information. Our test\nof 52 contractor files showed 36 (69 percent of files tested) did not meet that 5-day goal. This\ntest measured the time between the certification date of the Application for Public Trust\nPositions form and the date on which the FDIC finalized preliminary clearance. Files that\nexceeded the 5-day goal took from 6 to 295 days to preliminarily clear, with a median of\n29 days.\n\nTable 6: Contractor Preliminary Approvals Not Completed Within 5 Days\n                                 Files                                     Exceptions by Year\n                Tested     Exceptions        Percentage         2011        2012     Through July 2013\nContractor        52           36               69%             42%         75%             81%\nSource: OIG analysis of background investigation files.\n\n12\n  There were 225 National Security cases among the population of 6,907 cases during the evaluation period, or\n3 percent of the population. We sampled the 6 National Security cases (3 percent of the 225), as explained further in\nAppendix 2, Sampling Methodology.\n\n\n\n                                                          9\n\x0cDocumentation Maintained in Investigation Case Files\n\nWe tested all 108 files for completeness of the internal Summary Sheet checklist and other key\ndocumentation. The Summary Sheet is supposed to be included in each file to track review\nprogress, issues, and milestones and to indicate approvals in certain situations. However, there\nare no standard protocols or policies on what items should be captured on the form. The sheet is\nmanually completed by the PSSP team and maintained on the left inside flap of each file. Due to\nthe manual nature of the current review process, the PSSP team considers this sheet important\nbecause it provides the current status, shows outstanding issues, and helps to ensure the\ninvestigation is complete. Missing information on the Summary Sheet increases the likelihood\nthat key milestones could be missed or actions taken on investigations misunderstood by the\nreview team. We reviewed the Summary Sheet for each file to assess whether key review\nmilestones and signoffs were documented.\n\nFor our testing related to the Summary Sheet, we tested all files for the existence of the Summary\nSheet and nine review milestones, as applicable to each file. Of the 108 files reviewed, 16 files\n(15 percent) did not include a Summary Sheet and 90 files (85 percent) were missing one or\nmore of the key milestones on the Summary Sheet. In total, we performed 720 Summary Sheet\ncompleteness tests13 and identified 385 exceptions related to missing documentation or missing\nmilestones (53 percent).\n\nTable 7: Files with Incomplete Summary Sheet Documentation\n                                   Files                                       Exceptions by Year\n                 Tested     Exceptions         Percentage           2011         2012    Through July 2013\nContractor         58           56                 97%               94%         96%            100%\nEmployee           50           50                100%              100%        100%            100%\n\nTotal              108           106               98%              97%           98%                100%\nSource: OIG analysis of background investigation files.\nNote: Tests performed assessed, where applicable, the summary sheet for the following: included in file; updated for\ne-QIP or Form 85P; fingerprints submitted; fingerprint results; Letter of Inquiry sent (preliminary clearance); Letter of\nInquiry received (preliminary clearance); final preliminary clearance assessment; sent to OPM; received from OPM;\nand Letter of Inquiry sent (adjudication).\n\nWe also tested all 108 files for completeness of 24 key documents in the review process that the\nPSSP team and we considered critical to the review and to support the investigation\xe2\x80\x99s final\ndetermination. Of the 108 files reviewed, 100 files (93 percent) were lacking one or more of the\ndocuments for which we tested. Of the 100 files with issues identified, we performed 1,794\ntests14 and identified 334 exceptions (19 percent). The current, primarily manual operational\nenvironment requires a large number of forms and documents to be included and lends itself to\nhigher risk of missing documentation. Files missing key documentation are more susceptible to\ninappropriate preliminary clearance and final adjudication determinations.\n\n\n\n13\n     Not all tests were applicable for each file based on the unique nature of each background investigation.\n14\n     Not all tests were applicable for each file based on the unique nature of each background investigation.\n\n\n\n                                                            10\n\x0cTable 8: Files Missing Documents\n                                Files                                        Exceptions by Year\n              Tested      Exceptions         Percentage           2011         2012    Through July 2013\nContractor      58            51                88%               100%         83%             82%\nEmployee        50            49                98%               100%         95%            100%\n\nTotal            108           100               93%              100%          89%                88%\nSource: OIG analysis of background investigation files.\nNote: Tests performed assessed, where applicable, the files for a record of the following: e-QIP or Form 85P;\nDeclaration for Federal Employment; applicant certification statement; tax check waiver; credit report; public record\n                         \xc2\xae\nreport from LexisNexis ; previous investigations from CVS; fingerprint card; Background Investigation Questionnaire\n(FDIC Form 1600/04); Notice and Authorization Pertaining to Consumer Reports (FDIC Form 1600/10); fingerprint\nresults; Letter of Inquiry (preliminary clearance); email to OIG and Division of Resolutions and Receiverships (DRR);\nOIG and DRR results email; OPM Investigation Report; Letter of Inquiry (adjudication); notification letter to employee;\nForm 79A; and Certificate of Investigation. Also, testing assessed whether the following, where applicable, were\nadequately supported: mitigated derogatory OPM results; files OPM returned as unacceptable; mitigated Letter of\nInquiry (preliminary clearance); mitigated derogatory preliminary clearance results; and mitigated Letter of Inquiry\n(adjudication).\n\nAs discussed in the next section, we concluded that our testing results could be attributed to\nweaknesses in policies and procedures and historical management resource issues.\n\nPSSP Policies and Procedures\n\nWe concluded that PSSP policies and procedures in key control, process, and reporting areas\nwere not in place, well understood, nor consistently practiced by federal or contractor employees.\nPolicies and procedures are important in ensuring that management directives are carried out\ncompletely and consistently. SEPS provided a policies and procedure manual related to\npreliminarily clearing, investigating, and adjudicating potential FDIC employees and contractor\nstaff. The manual consisted of a loose collection of briefing slides, job aids, and form letters.\nMost of the SEPS employees that we interviewed did not recognize the manual. SEPS team\nmembers initially told us a policies and procedures manual did not exist and that the PSSP\nsupport contractor was developing a manual.\n\nSEPS approved and issued the Standard Operating Procedures Handbook for Operations at\nFDIC in the fourth quarter of 2013 for PSSP support contractor staff. The revised procedures\nappear detailed and comprehensive. However, SEPS still needs to develop updated procedures\nthat address the roles and responsibilities unique to the SEPS federal employees.\n\nManagement Oversight of the PSSP\n\nWe concluded that SEPS management resource issues also contributed to some of our testing\nresults, both with respect to continuity and span of control. During the period under evaluation,\nthe former SEPS Assistant Director managed the function through 2012, with the current\nAssistant Director assuming responsibility in January 2013. The Corporate Services Branch\nDeputy Director also retired in October 2013. Additionally, the PSSP contractor experienced\nmanagement and staff turnover. These management and staffing changes created continuity\nchallenges for the PSSP.\n\n\n\n\n                                                          11\n\x0cThe Assistant Director is also responsible for other DOA program areas. Specifically, in\naddition to personnel security, the Assistant Director oversees emergency preparedness, physical\nsecurity, and transportation. These areas are staffed by an additional 10 FDIC permanent\nemployees. Having all of these program responsibilities creates a wide span of control for the\nAssistant Direct and limits his ability to effectively oversee PSSP operations.\n\nIn addition to the Assistant Director, the SEPS Personnel Security Unit had five federal\nemployees during the period of our evaluation: a Lead Personnel Security Specialist and another\npersonnel security specialist, both FDIC permanent positions; two additional FDIC term\npersonnel security specialists;15 and a personnel security assistant. The Lead Personnel Security\nSpecialist is responsible for:\n\n     \xef\x82\xb7   overseeing and directing daily activities of the personnel security staff;\n     \xef\x82\xb7   researching, writing and updating program policies and procedures; and\n     \xef\x82\xb7   ensuring the PSSP complies with federal regulations, EOs, and FDIC directives.\n\nThe Lead Personnel Security Specialist position should also serve as the oversight manager\n(OM) for the PSSP support contract. However, DOA management determined that the current\nLead Personnel Security Specialist had a conflict with performing that duty. As a result, DOA\nmanagement assigned PSSP support contract OM responsibilities to the Assistant Director,\nwhich broadens his span of control.\n\nIn October 2013, the FDIC approved a new Chief, Security Operations Unit, position that should\nprovide much needed day-to-day PSSP supervision. DOA filled the Chief position in early 2014.\nFigure 1 represents the new SEPS organizational structure.\n\n\n\n\n15\n  Of the two FDIC term personnel security specialists, one individual\xe2\x80\x99s term ended in September 2013 and is no\nlonger with the FDIC. The second individual resigned at the end of May 2014 to accept permanent employment\noutside the FDIC.\n\n\n\n                                                       12\n\x0cFigure 1: SEPS New Organizational Structure\n                                                              Assistant Director\n                                                                CM-0301-02\n\n\n\n                            Special Security\n                                Officer\n                             CG-0080-14\n\n\n\n\n              Chief,                                                                                     Lead, Physical\n                                                               Chief, Security\n          Transportation                                                                                    Security\n                                                               Operations Unit\n           Supervisory                                                                                  Non-Supervisory\n                                                                CM-0080-01\n           CG-0301-14                                                                                     CG-0080-14\n\n\n\n\n                                          Lead, Emergency                           Lead, Personnel\n           Operations                                                                                   Physical Security\n                                            Preparedness                               Security\n            Specialist                                                                                     Specialist\n                                          Non-Supervisory                           Non-Supervisory\n           CG-0303-12                                                                                     CG-0080-11\n                                             CG-0089-14                               CG-0080-14\n\n\n\n\n                                                Emergency                          Personnel Security\n           Operations                          Preparedness                                             Physical Security\n            Assistant                                                                  Specialist          Specialist\n                                                 Specialist                           CG-0080-13\n           CG-0303-06                           CG-0089-14                                                CG-0080-11\n\n\n\n\n                                                Emergency                          Personnel Security\n           Lead, Motor                         Preparedness                            Specialist\n         Vehicle Operator                        Specialist                           CG-0080-11\n           WL-5703-09                           CG-0089-12                               (term)\n\n\n\n\n                                                                                   Personnel Security\n                                                                                       Assistant\n                                                                                      CG-0086-07\n\n\nSource: SEPS.\n\nProgram Changes and Improvements\n\nThe current Assistant Director indicated that he made a number of program changes following\nour testing period and realized program improvements in late 2013 and early 2014, such as:\n\n   \xef\x82\xb7   Eliminating the backlog of pending and in-process cases and reducing the processing\n       time for submissions to OPM. The Assistant Director indicated that SEPS had reduced\n       its background investigations backlog from 650 cases in April 2013 to 113 cases in\n       March 2014.\n   \xef\x82\xb7   Eliminating the adjudication case backlog from 464 cases in April 2013 to 14 cases in\n       March 2014.\n   \xef\x82\xb7   Implementing the use of OPM\xe2\x80\x99s e-QIP system to electronically submit background\n       investigation questionnaires from 44 percent in June 2013 to 100 percent in March 2014.\n       The Assistant Director noted that the use of e-QIP should result in shorter review time\n       frames before submission to OPM, reductions in submission rate errors, and increased\n       case tracking accountability.\n   \xef\x82\xb7   Completing a review of all FDIC position descriptions (1,315) to ensure they had\n       appropriate position sensitivity determinations using OPM\xe2\x80\x99s automated Position\n       Designation Tool.\n   \xef\x82\xb7   Instituting a periodic reinvestigation program for incumbent federal staff occupying\n       moderate risk positions.\n\n\n\n                                                                     13\n\x0c   \xef\x82\xb7   Increasing manpower levels associated with the security support contract by adding\n       experienced adjudicators and security assistants, replacing the project manager with a\n       more experienced senior project manager, and creating and staffing an assistant project\n       manager and a business analyst position.\n   \xef\x82\xb7   As discussed earlier, reorganizing SEPS; establishing one new federal supervisory\n       position to manage the Security Operations Unit, which oversees the PSSP; and hiring an\n       experienced career federal employee to provide day-to-day close supervision and\n       management of the security support contract and federal staff.\n\nAs discussed elsewhere in this report, SEPS also began an effort to digitize background\ninvestigation files and automate the PSSP process through an enterprise content management\nplatform, known as the Personnel Security Records (PERSEREC) project. This effort is\nintended to improve records management, program efficiency, and performance reporting.\n\nRecommendations\n\nOverall administration of the PSSP program could be strengthened as indicated by our findings\nassociated with the preliminary clearance and adjudication determinations we reviewed. As\nnoted throughout this section of the report, those findings must be viewed in the context of the\ntiming of our testing and the evolving nature of the program. In that regard, we identified\nopportunities for DOA to take steps that complement the Assistant Director\xe2\x80\x99s efforts and ensure\nthat program improvements are sustained and effective. Accordingly, we recommend that the\nDirector, DOA:\n\n   1. Work with the Legal Division to clarify (a) under what circumstances SEPS should\n      submit background investigations that may fall outside the Minimum Standards of\n      Fitness requirements for legal review and (b) how SEPS should handle background\n      investigation cases involving probation before judgment situations.\n\n   2. Establish and implement standard operating procedures for SEPS employees to\n      complement the Standard Operating Procedures Handbook for Operations at FDIC\n      developed for the PSSP support contractor.\n\n   3. Direct DOA\xe2\x80\x99s Management Services Branch to follow up on issues raised in this report\n      after a reasonable period of time is allowed for implementation of control improvements.\n\n\nContractor Performance and Oversight\nDOA substantially relies on the PSSP support contractor to perform background investigation\nfunctions and to provide personnel suitability program support. We found that most contractor\ncharges that we reviewed were supportable. We identified a few exceptions related to contractor\novertime hours, labor category mix, the timely signature of modifications, and written approvals\nfor key personnel changes. Further, while we determined that most contractor staff met\nminimum qualifications, we identified two staff that did not. Finally, we concluded that contract\n\n\n\n\n                                               14\n\x0coversight could be strengthened by SEPS establishing better criteria for measuring contractor\nproduction and performance.\n\nAs of the start of our field work in September 2013, the PSSP was supported by 22 contractor\nstaff, as shown in Figure 2, below.\n\nFigure 2: PSSP Support Contractor Staff Organizational Structure\n                                                                            Senior Project\n                                                                              Manager\n\n\n\n                                                      Assistant Project\n                                                         Manager\n\n\n\n\n                                                                                                                                              Emergency\n                      Personnel Security      Personnel Security          Personnel Security   Personnel Security   Business Process\n     Adjudicator II                                                                                                                          Preparedness\n                      Specialist III (Lead)      Specialist II               Specialist I          Assistant I         Consultant\n                                                                                                                                                Officer\n\n\n\n\n                                              Personnel Security          Personnel Security   Personnel Security\n     Adjudicator II\n                                                 Specialist II               Specialist I          Assistant I\n\n\n\n\n                                              Personnel Security                               Personnel Security\n     Adjudicator II\n                                                 Specialist II                                     Assistant I\n\n\n\n\n                                              Personnel Security                               Personnel Security\n     Adjudicator I\n                                                 Specialist II                                     Assistant I\n\n\n\n\n                                                                                               Personnel Security\n     Adjudicator I\n                                                                                                   Assistant I\n\n\n\n\n                                                                                               Personnel Security                  Supports\n                                                                                                   Assistant I                  Transportation\n\n\nSource: SEPS.\n\nWe performed tests of the contractor\xe2\x80\x99s invoices and assessed the extent to which the contracting\nofficer (CO), OM, and technical monitor (TM) for the PSSP support contract followed FDIC\nprocedures related to their roles in oversight and administration of the contract. Results of this\naspect of our review follow.\n\nInvoice Testing. We obtained the population of invoices submitted and paid during the\nevaluation period and selected a non-statistical sample of four invoices to identify the nature and\nextent of costs incurred, verify rates billed were correct, determine that hours billed were\nauthorized, and confirm labor category maximums defined in the contract were followed. We\nfound that most contractor charges were supportable. The few exceptions we did identify related\nto labor category mix and overtime hours and were either satisfactorily addressed by the OM or\nnot significant.\n\n\n\n\n                                                                                  15\n\x0cContract Modifications. The current PSSP support contractor assumed the contract from a\nprevious contractor via a novation contract effective May 1, 2013 and retained the previous\ncontract terms and the previous contractor\xe2\x80\x99s personnel supporting the FDIC\xe2\x80\x99s PSSP. We\nreviewed all contract modifications associated with the PSSP support contract. While contract\nmodifications were appropriately signed, signatures were not always timely. First, 2 of 32\ncontract modifications and other notifications that we tested were signed 28 days after their\neffective date. The CO noted that this is not against FDIC policy. Second, the language in the\nbody of the novation contract, which changed the contractor from the old to the new PSSP\nsupport contractor, stated the modification was effective April 1, 2013. However, the top of the\nmodification shows an effective date of May 1, 2013, which was also the date the modification\nwas signed. The CO advised us that the novation was anticipated to be effective April 1, 2013,\nbut the process for approval took longer than expected. The CO noted that the April 1, 2013\neffective date in the body of the contract was an oversight. Signing contracts after their effective\ndate could raise legal challenges as to responsibilities and obligations if disputes were to arise\nregarding events occurring between the effective date and the signature date of the contract.\n\nContractor Key Personnel. The PSSP support contract requires the contractor to give the CO\nnotice 14 days prior to key personnel changes, and the CO is required to approve all such\nchanges in writing. Further, the FDIC\xe2\x80\x99s Acquisition Policy Manual (APM) requires that the CO\nissue a contract modification when such changes are needed. In 12 of 35 key personnel changes\nwe tested, there was no documentation supporting that the CO was notified, nor any evidence of\na contract modification addressing the changes.\n\nContractor Staff Qualifications. We assessed 25 contractor personnel additions and\n6 contractor position level increases associated with the PSSP support contract. Our evaluation\ncompared PSSP support contractor staff r\xc3\xa9sum\xc3\xa9s relative to the minimum qualifications outlined\nin the PSSP support contract for each labor category. We did not receive contractor r\xc3\xa9sum\xc3\xa9s for\ntwo PSSP support contractor staff.\n\nWe determined that most contractor staff met minimum qualifications. However, there were two\ninstances where our assessment found PSSP support contractor staff were cleared as Personnel\nSecurity Assistants with qualifications lower than the minimum required criteria cited in the\ncontract. The Personnel Security Assistant is the lowest level labor category associated with the\ncontract. The CO advised us that the minimum qualifications are a guideline and the ultimate\ndecision is at the OM\xe2\x80\x99s discretion. However, the FDIC\xe2\x80\x99s Acquisition Procedures, Guidance and\nInformation provides that the OM must ensure that contractor personnel possess the requisite\nexperience and qualifications required by the contract through evaluation of an individual\xe2\x80\x99s\nr\xc3\xa9sum\xc3\xa9, observation of an individual\xe2\x80\x99s performance, or both.\n\nWe found one instance in which a PSSP support contractor staff member was promoted from\nPersonnel Security Assistant to Security Specialist I within a few months of going through\nclearance. In our view, the person\xe2\x80\x99s qualifications and background were not satisfactory for the\npromotion based on the minimum position criteria and the PSSP support contractor staff\nmember\xe2\x80\x99s project experience. The PSSP support contractor staff member was eventually\ndemoted back to Personnel Security Assistant because, according to the PSSP support contractor\nSenior Program Manager, there was reduced need for a Security Specialist I position. Based on\n\n\n\n                                                 16\n\x0cdiscussion with SEPS employees, the individual was not qualified for the position and was not\nperforming in the Personnel Security Assistant role or the Security Specialist I role.\n\nEvaluation of Contractor Performance. The OM, with the TM\xe2\x80\x99s assistance, performs annual\nevaluations of the PSSP support contractor to document the quality of the contractor\xe2\x80\x99s product or\nservice, the contractor\xe2\x80\x99s cost control, timeliness of the contractor\xe2\x80\x99s performance, business\nrelations, and satisfaction with the contractor. The FDIC has not identified any negative\nperformance issues through those evaluations since the contract originated in November 2010.\nThe contract does not include either measurable production or performance criteria, and the\ndeliverables noted in the contract are very broad and have no milestones or timing requirements.\nSpecifically, Section 3.0, Requirements/Tasks, of the contract\xe2\x80\x99s Statement of Work (SOW)\nsummarized contractor expectations as general support of the PSSP in the areas of: personnel\nsecurity, physical security, and emergency preparedness. Another SOW section indicates only\nthat the \xe2\x80\x9cContractor shall deliver the required services as specified in the SOW,\xe2\x80\x9d essentially\nreferring to itself, with no specific contract deliverables or related milestones specified. As the\ncontract requirements are geared towards general support of these areas, performance\ndeliverables and assessment of these deliverables are not easily quantifiable or measured.\n\nThe Assistant Director told us that he and the PSSP support contractor Senior Program Manager\nbegan having weekly one-on-one status meetings in 2013, upon his arrival. In addition, in\nconjunction with these status meetings, the Assistant Director and the Senior Program Manager\nbegan developing weekly performance metrics in May 2013. Performance information is\ncurrently collected and reported manually by each federal employee and contractor.\nImplementation of the PERSEREC project should help to improve the reliability of underlying\nperformance metric data and automate and enhance performance reporting. SEPS plans to have\nPERSEREC present management with a real-time, online dashboard reporting capability.\n\nThe APM recommends performance-based acquisition and performance-based management for\nservice contracts over $1,000,000. The PSSP support contract awarded in 2010 was for more\nthan $18 million but did not stipulate performance criteria, defined deliverables, or milestones to\nmeet the APM performance-based acquisition and management criteria. Such metrics facilitate\nmonitoring contractor performance and efficiency. Further, strong contract oversight helps to\nprevent the FDIC from overpaying for services, paying for services that are not allowed under\nthe contract, accepting changes or additions to key personnel and contract terms without\nappropriate consideration, or violating FDIC contracting policy.\n\nRecommendations\n\nTo strengthen the FDIC\xe2\x80\x99s oversight of the PSSP support contractor, we recommend that the\nDirector, DOA:\n\n   4. Amend the PSSP support contract to establish clearly defined deliverables, key\n      milestones in the background investigations process, and measurable performance\n      criteria.\n\n\n\n\n                                                17\n\x0c   5. Apply APM guidance for performance-based management to the PSSP support contract\n      to periodically assess and document contractor performance against defined deliverables,\n      process milestones, and measurable performance criteria.\n\n\nRecords Management Controls\nWe concluded that records management controls over PSSP files, which include extensive\namounts of sensitive personally identifiable information (PII), need improvement. We observed\nthat file rooms were overloaded and disorganized and contained boxes of unfiled background\ninvestigation documents. PSSP was challenged in timely providing background investigations\nfiles that we selected for our review. We also observed that physical security over SEPS work\nspace could be strengthened. For example, the SEPS office suite is not secured by card entry and\ncontractors work in cubicles that cannot be secured as effectively as an office. These records\nmanagement weaknesses create inefficiency and, along with physical security issues, present\nrisks to the FDIC. Circular 1210.1, FDIC Records and Information Management (RIM) Policy\nManual, stipulates that files \xe2\x80\x9cshould be maintained in an orderly, systematic manner so\ndocuments can be retrieved quickly and sensitive information protected.\xe2\x80\x9d\n\nWe performed a walkthrough of the PSSP work environment, including the PSSP file room,\ncontractor work rooms, SEPS employee offices, and the FDIC file storage room, all of which are\nwithin the FDIC\xe2\x80\x99s Virginia Square office complex. The PSSP work space and files for current\nFDIC employees and contractors, or \xe2\x80\x9cactive files,\xe2\x80\x9d are located at the Virginia Square location.\n\xe2\x80\x9cNon-active files\xe2\x80\x9d are transferred to an offsite records management storage facility.\n\nWe recognize that while the current PSSP environment is paper-based and manual, SEPS has\nbegun to digitize and automate the PSSP process. Digitization and automating PSSP processes\nshould help address the issues we found during our review; however, digitizing and automating\nPSSP processes does not ensure or negate the need for strong, comprehensive records\nmanagement controls in PSSP\xe2\x80\x99s future environment.\n\nPSSP Work Space. At the time of our evaluation, the PSSP file room had boxes of files\nstacked on the floor and on top of the file cabinets. There were also boxes of unidentified\npersonnel forms and documentation that had yet to be included in personnel files. While more\norganized than the PSSP file room, the PSSP support contractor work rooms also had large\nvolumes of boxed files and a significant amount of unfiled documents on desks.\n\nThe applicant file information (e.g., fingerprint results, OPM follow-up results, etc.) that was\nunfiled and stored in boxes in the PSSP file room was not easily retrievable because the files\nwere not labeled to match the official background investigation file or maintained in any\nparticular order, such as by applicant name. The PSSP support contractor Senior Program\nManager advised us that the documents were associated with completed background\ninvestigations. Therefore, in his view, the effort and cost of associating the documents with files\nat an offsite storage facility were not warranted in light of the impending digitization of\nbackground investigation files. Nonetheless, at the time of our review, the records digitization\n\n\n\n\n                                                18\n\x0ceffort had not determined how to associate this information with digitized background\ninvestigation files.\n\nThe PSSP support contractor standard operating procedures document issued in late 2013\ndiscusses file construction and composition in detail; however, it has few references to file\nstorage and maintenance. The PSSP support contract addresses records management only\ngenerally in that contractor staff will file and \xe2\x80\x9cmaintain\xe2\x80\x9d file rooms; however, the contract\nprovides no criteria to establish what \xe2\x80\x9cmaintain\xe2\x80\x9d would mean in terms of organization of files,\nwork space, or file rooms.\n\nFile Storage and Inventory. We also performed a walkthrough of the FDIC background\ninvestigation file storage room in the basement of the FDIC\xe2\x80\x99s Virginia Square facility. The\nFDIC engaged a records management contractor at the beginning of 2012 to reorganize the file\nroom and create a records management system. One records management contractor employee\nmaintains the room. SEPS employees indicated that the file room organization has improved\ngreatly since the records management contractor became involved. We observed that the file\nroom was, to some extent, organized. However, there was not sufficient space to house the files\nin the filing cabinets. There were boxes piled on top of the filing cabinets and on the floor. The\nrecords management contractor employee indicated that the many boxes on the floor either\nneeded to be refiled or were non-active files that needed to be transferred to an offsite records\nmanagement facility.\n\nThe records management contractor employee also walked us through his records management\nsystem, which consisted of several electronic spreadsheets. The records management contractor\nupdates the spreadsheet when each file is taken from the room and when it is returned. The\nspreadsheet only captures file activity since the records management contractor became\nassociated with the project in early 2012 and is limited to files located in the storage room. We\ndid not identify any PSSP-specific records management policy, nor did we see any indication in\nother policies denoting responsibility for maintaining a master inventory of background\ninvestigation files. The records management contract indicates the contractor \xe2\x80\x9cshall provide staff\nand supervisory personnel for records management operations and services on site at FDIC\nlocations, or on Contractor\'s premises while conducting FDIC business.\xe2\x80\x9d However, the contract\nstipulates only for off-site processing and storage that the contractor must \xe2\x80\x9cimplement adequate\nadministrative, technical, physical and procedural security controls to ensure that all FDIC\ninformation in its possession or under its control is adequately protected from loss, misuse, and\nunauthorized access or modification.\xe2\x80\x9d\n\nThe records management contractor also told us that his list would not capture all file movement\nbecause the PSSP team has access to the file storage room and can remove files without his\nknowledge. Access to the file room is maintained by a lead physical security specialist. SEPS\ncould not readily provide us a list of personnel with access to the file room. As a result of our\ninquiry, SEPS indicated that it removed eight individuals from the file storage room access list.\n\nRequested Files. These records management weaknesses also impacted SEPS\xe2\x80\x99 ability to\nprovide requested files for our detailed testing. We selected an original sample of 118 files and\nselected 14 additional files because SEPS was having difficulty locating some of the files. We\n\n\n\n                                                19\n\x0creviewed 108 files that SEPS provided timely. SEPS provided most of the remaining files over a\n3-week period; however, five files remained missing at the end of our field work. The records\nmanagement contractor\xe2\x80\x99s file system also did not accurately reflect the status or location of some\nof the files.\n\nThe records management weaknesses we identified pose risks to the FDIC, including\nunauthorized release and access to large volumes of PII and the inability to readily obtain\ndocumentation that supports background investigation determinations. As discussed later, during\nour evaluation, SEPS began an effort to digitize background investigation files and automate the\nPSSP process through an enterprise content management platform. This effort should greatly\nimprove records management controls and process efficiency. SEPS has also indicated that it is\nbeing mindful of building adequate workflow process controls into the automation effort to\naddress deficiencies noted in this report.\n\nRecommendations\n\nWe recommend that the Director, DOA:\n\n   6. Ensure that the ongoing and future records digitization and PSSP automation efforts\n      include effective inventory controls that include clearly defining responsibilities to\n      periodically inventory both electronic and non-electronic PSSP records, whether\n      maintained at the FDIC\xe2\x80\x99s Virginia Square facility or offsite; maintaining PSSP work\n      space in a manner that would prevent loss or inadvertent disclosure of electronic and\n      non-electronic records; conducting periodic inspections of work and file spaces; and\n      setting and monitoring timeframes for filing or recording information.\n\n   7. Establish effective physical controls to all PSSP work space, including PSSP support\n      contractor work space, to ensure space can only be accessed by authorized personnel.\n\n\nInformation Systems Reliability and Controls\nWe concluded that the background investigation data were not reliable in the DOA systems used\nto capture preliminary clearance data and provide management reporting: the Background\nInvestigation Review Tracking (BIRT) System and the Corporate Human Resources Information\nSystem (CHRIS). We determined that the controls over BIRT data input and review could be\nstrengthened and that the two systems contained redundant data.\n\nReliability of BIRT and CHRIS Data. The PSSP team uses BIRT solely to capture and retain\npreliminary clearance data related to the PSSP. BIRT was created to house preliminary\nclearance related data so CHRIS would not be used to house data for potential employees or\ncontractor personnel that did not preliminarily clear. The PSSP team updates data in BIRT\nmanually, and there is neither review of data entered into BIRT nor approval functionality in the\nsystem. Generally, any field in BIRT can be updated and overwritten by anyone with access, at\nany point in time. BIRT has an audit function, but it is not used. BIRT\xe2\x80\x99s data is redundant in\n\n\n\n\n                                                20\n\x0cregards to preliminary clearance data captured in CHRIS for employees and contractor personnel\nwho have been preliminarily cleared, although BIRT captures more data fields than CHRIS.\n\nCHRIS is the FDIC\xe2\x80\x99s human resources information system, which also contains the employee\nand FDIC contractor staff data for the PSSP. CHRIS retains both preliminary clearance and\nadjudication data in separate areas, but the primary CHRIS function related to the PSSP is to\ncapture and retain adjudication data. The preliminary clearance section of CHRIS is redundant\nof information captured in BIRT, capturing only a subset of the BIRT data. BIRT and CHRIS do\nnot interface, and all input is manually entered into each system.\n\nWe tested all 108 files for accuracy and completeness of 7 key BIRT fields and 9 key CHRIS\nfields as applicable to each of the respective files. Of the 108 files in our sample, we identified\nissues in 93 files (86 percent). In total, we performed 1,132 tests16 and identified 278 exceptions\n(25 percent) among the 93 files.\n\nFor BIRT, we tested 7 key fields for completeness and accuracy, resulting in 545 applicable\ntests. We identified 86 exceptions (16 percent) in 39 files (36 percent).17\n\nTable 9: BIRT Records with Missing or Erroneous Data\n                                  Files                                        Exceptions by Year\n                Tested        Exceptions       Percentage           2011         2012     Through July 2013\nContractor        58              23              40%               53%          29%              41%\nEmployee          50              16              32%               15%          43%              44%\n\nTotal              108             39               36%             32%            36%                  42%\nSource: OIG analysis of background investigation files and BIRT system data.\nNote: Tests performed, where applicable, confirmed BIRT recorded the following: receipt of e-QIP; fingerprints\nsubmitted to Department of Justice; fingerprint results received; Letter of Inquiry sent (preliminary clearance); Letter\nof Inquiry Response (preliminary clearance); transfer records; and preliminary clearance assessment.\n\nFor CHRIS, we tested 9 key fields for completeness and accuracy, resulting in 587 applicable\ntests. We identified 192 exceptions (33 percent) in 83 files (77 percent).18\n\nTable 10: CHRIS Records with Missing or Erroneous Data\n                                  Files                                        Exceptions by Year\n                Tested        Exceptions       Percentage           2011         2012     Through July 2013\nContractor        58              35              60%                53%         58%             71%\nEmployee          50              48              96%               100%         95%             89%\n\nTotal              108             83               77%             78%            76%                 77%\nSource: OIG analysis of background investigation files and CHRIS data.\nNote: Tests performed, where applicable, confirmed CHRIS recorded the following: transfer records; final\ninformation summary sheet for transfer records; sent to OPM; date form sent, received, and investigation initiated;\npreliminary clearance assessment; OPM schedules review; OPM results received; Letter of Inquiry submitted; final\nadjudication.\n\n\n\n16\n   Not all 16 fields were applicable to each file based on the unique nature of each background investigation.\n17\n   Not all BIRT fields are applicable to each file.\n18\n   Not all CHRIS fields were applicable to each file based on the unique nature of each background investigation.\n\n\n\n                                                           21\n\x0cWe found no clear or consistent practices for updating or reviewing data entries made to BIRT\nand CHRIS. This results in inconsistent updates to CHRIS and BIRT fields. The resulting\nreports produced from these systems are incomplete and not reliable. As noted previously,\nCHRIS can be updated by members of the PSSP team as well as other groups within the FDIC\nwithout approvals or an audit trail. This situation poses a risk that background investigation\ninformation could be inadvertently or purposefully changed without detection.\n\nThe Assistant Director indicated that when PERSEREC is fully operational, BIRT will no longer\nbe needed and will be retired. SEPS also plans to deploy a business process management\nsystem, known as eWORKS (Enterprise Workforce Solution) in 2015. eWORKS will integrate\nPERSEREC with CHRIS and OPM systems to effect automatic data synchronization, track and\nupdate the status of cases as DOA completes each step in the process, and automate the sending\nand receiving of background investigation case information. eWORKS is currently in the\nplanning stage.\n\nReliability of PSSP Reporting. Our evaluation included an assessment of the current PSSP\nreporting environment and structure. Discussions with the PSSP team identified the current\nreports the team used. For the 11 reports identified, we determined the source data for the\nreports, how they were prepared, and report purpose. Two of the reports are from BIRT, one\nreport is from CHRIS, four reports are prepared manually, and four reports are from OPM.\nThese reports are currently used to ensure completeness of reviews and appropriate investigation\nstanding of each employee and contractor staff person within the FDIC.\n\nThe seven reports that are extracted from CHRIS or BIRT or manually derived may pose risks in\nterms of both completeness and accuracy of reporting. The manually prepared reports are based\non PSSP support contractor staff inputs for which there are no validity controls in place.\nBecause the inputs for all seven of these reports lack accuracy and completeness, the reports\ngenerated from such inputs may be unreliable.\n\nStandardized reporting\xe2\x80\x94based on OPM and internal metrics\xe2\x80\x94should be a fundamental\nmanagement tool to measure PSSP success. The current paper-based records management\nsystem, coupled with unreliable BIRT and CHRIS data, hampers SEPS\xe2\x80\x99 ability to accurately\nmeasure PSSP successes, failures, or progress where constructive improvements have been\nmade.\n\nRecommendation\n\nWe recommend that the Director, DOA:\n\n   8. Evaluate existing reporting systems and establish more comprehensive and reliable\n      reporting mechanisms that:\n\n        \xef\x82\xb7   Provide adequate controls to ensure data input and reports are timely and accurate,\n        \xef\x82\xb7   Align with OPM-required timeframes and other key operational metrics, and\n        \xef\x82\xb7   Allow for identifying and addressing missing file documentation.\n\n\n\n\n                                               22\n\x0cDigitization and Automation Efforts\nAs discussed throughout this report, during our evaluation, SEPS began an effort to digitize\nbackground investigation files and automate the PSSP process through an enterprise content\nmanagement platform, known as the PERSEREC project. This effort should improve records\nmanagement and efficiency. However, SEPS will need to ensure that it builds adequate\nworkflow process controls into the automation effort to address the weaknesses noted in this\nreport.\n\nThe SEPS Assistant Director indicated that he has developed a three-phase plan to digitize\nexisting and future background investigation files and automate the background investigation\nprocess.\n\n   \xef\x82\xb7   Phase I of the project will consist of digitally scanning approximately 650,000 pages of\n       existing paper background investigation case files into Documentum, an FDIC-owned\n       document storage system, and developing a method for scanning documents from\n       ongoing background investigation cases into the Documentum repository going forward.\n       In December 2013, the FDIC\xe2\x80\x99s Chief Information Officer\xe2\x80\x99s Council approved the\n       PERSEREC project and $280,000 to complete Phase I.\n\n   \xef\x82\xb7   Phase II of the project will be to develop a process workflow management system to\n       allow SEPS to electronically implement, manage, and monitor the background\n       investigations process. The Assistant Director has $80,000 in DOA discretionary funding\n       to begin researching Phase II solutions. In this respect, we understand that SEPS\n       completed an \xe2\x80\x9cas is\xe2\x80\x9d evaluation of the background investigation process and was\n       planning on completing a \xe2\x80\x9cto be\xe2\x80\x9d process evaluation which would identify process gaps\n       and control weaknesses that the workflow management system should address.\n\n   \xef\x82\xb7   Phase III of the project is conceptual at this point, but would create an enterprise system\n       to manage personnel suitability issues for an employee or contractor \xe2\x80\x9ccradle to grave\xe2\x80\x9d\n       across employees\xe2\x80\x99 and contractors\xe2\x80\x99 tenure with the FDIC.\n\nThe digitization and automation planning documents available to us during this evaluation lacked\nspecificity and did not clearly address how SEPS will remediate existing gaps and weaknesses in\nthe PSSP through the use of Documentum, or what the next automation steps might be once\nPhase I is completed. Management advised us that such planning is currently underway and\nfuture digitization and automation efforts would address PSSP process control weaknesses. We\nbelieve it is important that the PERSEREC project plan specifies specific system-related control\nactivities such as reasonableness and edit tests, supervisory review and approvals,\nreconciliations, task assignment and case tracking, and elapsed-day metrics, to help ensure that\nthe digitized files are complete and to drive process efficiency. SEPS should also use this\nautomation effort as an opportunity to build meaningful performance metrics, dashboard\ncapabilities, and activity reports.\n\n\n\n\n                                                23\n\x0cRecommendations\n\nTo ensure the digitization and automation effort optimizes PSSP records management and\noperations, we recommend that the Director, DOA:\n\n   9. Complete the \xe2\x80\x9cto be\xe2\x80\x9d background investigation process evaluation and identify process\n      gaps and control weaknesses that the workflow management system should address,\n      including issues identified in this report.\n\n   10. Ensure the PERSEREC project plan is sufficiently detailed and comprehensive to address\n       process gaps and control weaknesses; desired reporting and performance metric\n       capabilities; and costs or savings associated with migrating data from BIRT and CHRIS\n       and retiring BIRT, destroying hard copy background investigation records, and digitizing\n       records.\n\n\nCorporation Comments and OIG Evaluation\nThe Director, DOA provided a written response, dated July 24, 2014 to a draft of this report.\nThe response is presented in its entirety in Appendix 6. In the response, the Director, DOA,\ndescribed program improvements that were occurring during and after the scope of our review\nassociated with many of the report\xe2\x80\x99s findings and recommendations. The Director, DOA,\nconcurred with the report\xe2\x80\x99s 10 recommendations and described corrective actions to address each\nrecommendation. The completed or planned actions are responsive and the recommendations\nare resolved. DOA\xe2\x80\x99s management response indicated that it had completed corrective action for\nthree recommendations (recommendations 8, 9, and 10). We met with SEPS officials and\nreviewed supporting documentation and confirmed that those recommendations could be closed.\nThe remaining recommendations will remain open until the FDIC\xe2\x80\x99s Corporate Management\nControl Branch notifies the OIG, or the OIG independently confirms, that corrective actions have\nbeen completed. A summary of the Corporation\xe2\x80\x99s corrective actions is presented in Appendix 7.\n\n\n\n\n                                              24\n\x0c                                                                                   Appendix 1\n\n                   Objective, Scope, and Methodology\nObjective\n\nOur evaluation objective was to determine whether the FDIC is carrying out its Personnel\nSecurity and Suitability Program efficiently and effectively. To fulfill this objective, we\nevaluated (1) FDIC management\xe2\x80\x99s overall administration of the program, including the extent to\nwhich applicable policies and procedures are in place and being followed; (2) oversight and\nadministration of the contract supporting the program; and (3) the nature, extent, allowability,\nand reasonableness of costs incurred under the contract supporting the program.\n\nScope and Methodology\n\nThe scope of this evaluation included the FDIC\xe2\x80\x99s oversight and administration of the Personnel\nSecurity and Suitability Program and contractor personnel and billings from January 1, 2011\nthrough July 31, 2013. We performed our work at the FDIC\xe2\x80\x99s headquarters offices in Arlington,\nVirginia, and Washington, D.C., from August 2013 to January 2014 in accordance with the\nCouncil of the Inspectors General on Integrity and Efficiency\xe2\x80\x99s Quality Standards for Inspection\nand Evaluation.\n\nThe OIG contracted with BDO USA, LLP to assist OIG staff in completing the plan for this\nevaluation, and conducting, analyzing and presenting testing results. The OIG remained\nresponsible for all decisions, including the scope, methodology, and reporting.\n\nProgram Administration. To evaluate the FDIC\xe2\x80\x99s overall administration of the program, we\nfirst gained an understanding of program requirements by:\n\n   \xef\x82\xb7   Reviewing the Federal Deposit Insurance Act, as amended, and related regulations;\n\n   \xef\x82\xb7   Reviewing the following FDIC corporate policies and procedures:\n\n            o FDIC Circular 2120.1, Personnel Suitability Program;\n            o FDIC Circular 2120.5, Minimum Standards for Employment with the Federal\n              Deposit Insurance Corporation ("Corporation") as Mandated by the Resolution\n              Trust Corporation Completion Act ("RTCCA");\n            o FDIC Circular 1610.2, Security Policy and Procedures for FDIC Contractors;\n            o FDIC Circular 1600.3, National Security Program;\n            o FDIC Circular 3700.16, FDIC Acquisition Policy Manual (APM); and\n            o FDIC Acquisition Procedures, Guidance and Information (PGI), August 2013;\n              and\n\n   \xef\x82\xb7   Identifying and reviewing SEPS standard operating procedures in place during the scope\n       of our review, and identifying that the PSSP support contractor was developing, and that\n       SEPS issued during our field work, comprehensive procedures for PSSP support\n       contractor staff.\n\n\n\n\n                                               25\n\x0c                                                                                      Appendix 1\n\n                     Objective, Scope, and Methodology\nIn addition, we interviewed the following FDIC officials to determine their roles,\nresponsibilities, and perspectives related to this evaluation\xe2\x80\x99s objective, including how business\nprocesses have changed to address OPM program review findings and recommendations or\nimprove PSSP procedures generally:\n\n    \xef\x82\xb7   Acting Chief Information Officer;\n    \xef\x82\xb7   Director, DOA;\n    \xef\x82\xb7   Deputy Director, CSB (retired early October 2013);\n    \xef\x82\xb7   Assistant Director, SEPS;\n    \xef\x82\xb7   Lead Personnel Security Specialist and other SEPS personnel;\n    \xef\x82\xb7   Senior Program Manager and other PSSP support contractor staff; and\n    \xef\x82\xb7   The file storage room records management contractor employee.\n\nWe also interviewed the Chief Inspector, Agency Oversight, OPM-FIS.\n\nWe performed a walkthrough of the PSSP work environment, including the PSSP file room,\ncontractor work rooms, SEPS employee offices, and the FDIC file storage room, all of which are\nwithin the FDIC\xe2\x80\x99s Virginia Square office complex.\n\nThrough extracts from CHRIS, we determined that PSSP processed 6,907 background\ninvestigations for FDIC employees and contractors from January 1, 2011 through July 31, 2013,\nas shown below:\n\nTable 11: Background Investigations Processed, January 1, 2011 \xe2\x80\x93 July 31, 2013\n                               2011                            2012    Through July 2013\n     Employee                  1,934                           1,250          461\n     Contractor                 689                            1,530         1,043\n\n        Total                  2,623                           2,780         1,504\nSource: OIG evaluation analysis of CHRIS data extracts.\n\nWe selected a non-statistical sample of 108 background investigation files from that universe, as\ndescribed in Appendix 2, Sampling Methodology.\n\nFinally, we reviewed the 108 background investigation files to determine if the PSSP was\nconducted economically, efficiently, and effectively by testing and analyzing, where applicable,\nthe following:\n\n    \xef\x82\xb7   Summary Sheet data,\n    \xef\x82\xb7   File documentation,\n    \xef\x82\xb7   Accuracy and completeness of CHRIS and BIRT data,\n    \xef\x82\xb7   Prior investigation(s),\n    \xef\x82\xb7   Risk level of position and investigation performed,\n    \xef\x82\xb7   Preliminary clearance and adjudication decisions, and\n    \xef\x82\xb7   Processing timeliness.\n\n\n                                                          26\n\x0c                                                                                    Appendix 1\n\n                  Objective, Scope, and Methodology\n\nIn addition, we reviewed the proposed IT improvement strategy and performed a gap analysis to\nidentify areas for improvement to the IT program in support of the PSSP.\n\nContract Administration. To evaluate oversight and administration of the PSSP support\ncontract, we first obtained the relevant contract dated in 2010 and contract modifications. We\nthen:\n\n   \xef\x82\xb7   Interviewed the current and former COs, OM (who is the SEPS Assistant Director), and\n       TM;\n\n   \xef\x82\xb7   Reviewed the contract and modifications to confirm they were processed timely and\n       correctly under FDIC policies and procedures;\n\n   \xef\x82\xb7   Determined the extent to which the CO, OM, or TM vetted key contractor staff when\n       changes occurred, and\n\n   \xef\x82\xb7   Assessed how the CO and OM assessed contractor performance.\n\nContract Costs. To determine the nature, extent, allowability, and reasonableness of costs\nincurred under the contract(s) supporting the FDIC\xe2\x80\x99s Personnel Security and Suitability Program,\nwe tested a non-statistical sample of contractor invoices for services performed from January\n2011 through July 2013. (See Appendix 2, Sampling Methodology, for further information.)\n\nOngoing Program Changes. We determined that SEPS made a number of program changes,\nrealized some program improvements in late 2013 and early 2014, and hired new management\nand key staff. While we expect that these efforts will strengthen the PSSP, they occurred largely\nafter our testing period, and we were unable to review or verify them. However, we did consider\nthose efforts in forming the recommendations in this report.\n\n\n\n\n                                               27\n\x0c                                                                                      Appendix 2\n\n                              Sampling Methodology\n\nThis evaluation used non-statistical samples for all testing. The results of non-statistical samples\ncannot be projected to the intended population by standard statistical methods.\n\nProgram Administration Testing\n\nThe figures below depict the 108 sample files that we judgmentally selected for testing. The\npopulation consisted of all files active in the PSSP from the period January 1, 2011 through\nJuly 31, 2013, which included 6,907 files identified through CHRIS based on activity within\nthose periods.\n\nWe originally selected 118 files, and then selected an additional 14 files due to missing files that\nthe PSSP team was not able to locate over a period of 20 days, 5 of which were still missing as of\nJanuary 31, 2014, 3 months after our initial request for files and a month after the end of our\nfield work. Of the total 132 files selected, only 108 were tested. We excluded from testing four\nfiles due to core activity being performed outside of the review period and not related to active\npersonnel security and suitability checks, and 15 files because the PSSP team was not able to\nlocate the files timely.\n\nThe 108 files selected for testing were from the population of active reviews identified in the\nCHRIS system. We requested all files that had activity in the CHRIS preliminary clearance\nmodule as well as the CHRIS employee and contractor modules. FDIC officials provided three\nCHRIS data extracts, one for each of these CHRIS modules, showing all files that had activity in\nour evaluation period.\n\nIn selecting our sample, we first identified files that were reflected in both the CHRIS\npreliminary clearance population as well as the CHRIS employee or contractor populations. We\nidentified the type of employment, background investigation type, adjudication determination,\nand OPM risk designation. We then judgmentally selected files from each category to obtain a\nrepresentative number of files based on employment type and background investigation type.\nThese were further broken down by the adjudication determination and OPM risk designation, to\nidentify and include higher risk files in our sample, relative to the population.\n\n\n\n\n                                                 28\n\x0c                                                                                                        Appendix 2\n\n                                   Sampling Methodology\nTable 12: Sampled Files by Type of Investigation\nInvestigation              Population                            Sample\n     Type     Contractor Employee Total Percentage Contractor Employee Total Percentage\n ANACI                 1       16     17       0%           1        1    2         2%\n BDI                   2        1      3       0%           1        1    2         2%\n BI                  470      156   626        9%         13         3   16        15%\n Fingerprint\n                       -       17     17       0%           -        2    2         2%\n Request\n LBI                   5      334   339        5%           1        4    5         5%\n LDI                   1        1      2       0%           1        1    2         2%\n MBI               2,422    2,404 4,826       70%          27       24   51        47%\n NAC                   1        1      2       0%           1        1    2         2%\n NACI                285      466   751       11%           3        5    8         7%\n NACIC                 1        5      6       0%           1        1    2         2%\n NACLC                 6       43     49       1%           1        1    2         2%\n PRI                   6       48     54       1%           2        1    3         3%\n PRIR                  1        1      2       0%           1        1    2         2%\n RSI                   -        2      2       0%           -        -     -        0%\n SAC                   -        1      1       0%           -        1    1         1%\n SGI36                 3        3      6       0%           1        1    2         2%\n SGI60                 -        2      2       0%           -        1    1         1%\n SSBI                 44       65   109        2%           3        -    3         3%\n SSBI-PR              14       79     93       1%           1        1    2         2%\n\nTotal                  3,262         3,645    6,907           100%             58           50  108             100%\nTotal %                  47%           53%    100%                            54%          46% 100%\nSource: OIG evaluation analysis.\n\nTable 13: Sampled Files by Adjudication Result\n                                                      Population                             Sample\n         Adjudication Result                      Number      Percentage                Number    Percentage\nNo Adjudication                                        1,132         16%                       16        16%\nFavorable                                              5,733         83%                       76        69%\nOther                                                     15          0%                        4         4%\nUnfavorable                                               27          0%                       12        11%\n\nTotal                                                     6,907           100%                    108           100%\nSource: OIG evaluation analysis.\n\nTable 14: Sampled Files by OPM Issue Indicator\n                                                             Population                         Sample\n              OPM Issue Indicator                        Number    Percentage             Number   Percentage\nC & D Issues*                                                 400          6%                 43          40%\nAll Other                                                   6,507         94%                 65          60%\n\nTotal                                                          6,907             100%           108             100%\nSource: OIG evaluation analysis.\n*\n  \xe2\x80\x9cC\xe2\x80\x9d issues are substantial and the conduct or issue, standing alone, may be disqualifying. \xe2\x80\x9cD\xe2\x80\x9d issues are major and\nthe conduct or issue, standing alone, would be disqualifying.\n\n\n\n\n                                                         29\n\x0c                                                                                  Appendix 2\n\n                            Sampling Methodology\nContract Cost Assessment: Invoice Sample\n\nWe judgmentally selected four invoices from a total of 78 invoices that were submitted and paid\nduring the review period. In testing the four invoices, we reviewed:\n\n   \xef\x82\xb7   the nature of hours charged and the related source documentation,\n   \xef\x82\xb7   expenses for compliance with FDIC policies,\n   \xef\x82\xb7   hours billed within contract limits, and\n   \xef\x82\xb7   number of contractors billed in regards to labor category maximums.\n\n\n\n\n                                              30\n\x0c                                                                                    Appendix 3\n\n                  Questioned or Unsupported\n        Preliminary Clearance or Adjudication Decisions\nFollowing are summaries of the 8 files where we questioned the preliminary clearance or\nadjudication decisions or found such decisions lacked support.\n\nQuestioned Reciprocity Decisions. We questioned the PSSP\xe2\x80\x99s reciprocity use in the\nfollowing two cases:\n\n   \xef\x82\xb7   In 2011, the PSSP team indicated in a file that it identified a previous investigation\n       through CVS and entered that information into CHRIS. However, we could not identify\n       a prior investigation through any CVS documentation in the file. We verified that CVS\n       had no prior investigation for the applicant by having a PSSP team member research CVS\n       during our field work. We concluded that a prior investigation for this applicant did not\n       exist; therefore, reciprocity should not have been used. The PSSP team indicated that the\n       cited prior investigation may have been for another applicant, but could not be certain.\n\n   \xef\x82\xb7   In 2012, the PSSP team indicated in a file that it identified a previous investigation\n       through CVS and entered that information into CHRIS. However, that investigation did\n       not have a favorable adjudication. We verified that CVS annotated the adjudication as\n       "please call," which means the adjudication was not favorable or unfavorable, by having\n       a PSSP team member research CVS during our field work. As a result of the \xe2\x80\x9cplease\n       call\xe2\x80\x9d notation, this applicant\xe2\x80\x99s file should have been sent to OPM for investigation;\n       however, this never occurred. PSSP should not have relied on the prior investigation\n       since it was not indicated as \xe2\x80\x9cfavorable,\xe2\x80\x9d a criterion allowing reciprocity. The PSSP team\n       said this was an oversight either due to information from the prior investigation being\n       entered into CHRIS incorrectly, or this file was overlooked.\n\nQuestioned Preliminary Clearance Decisions. We questioned the PSSP\xe2\x80\x99s decisions to\npreliminarily clear two staff:\n\n   \xef\x82\xb7   In a 2011 case, fingerprint results revealed a simple assault arrest and a second degree\n       assault charge, which is a felony. At the time of the PSSP Team\xe2\x80\x99s review, the applicant\n       was on probation before judgment for the second degree assault charge. PSSP sent a\n       Letter of Inquiry to the applicant on the simple assault arrest, but not the second degree\n       assault charge. The PSSP team also did not refer that issue to the Legal Division to\n       review. The applicant was cleared to work as an FDIC contractor. Minimum Standards\n       of Fitness for Employment with the Federal Deposit Insurance Corporation (12 C.F.R.\n       Part 336), prohibits any person from becoming employed or providing service to, or on\n       behalf of, the FDIC who has been convicted of any felony. FDIC and PSSP policies and\n       procedures do not mention probation before judgment situations. However, for a number\n       of federal statutes and regulations, the term \xe2\x80\x9cconviction\xe2\x80\x9d is defined as a judgment or any\n       other determination of guilt of a criminal offense by any court of competent jurisdiction,\n       whether entered upon a verdict or plea, including any resolution that is the functional\n\n\n\n\n                                               31\n\x0c                                                                                                Appendix 3\n\n                   Questioned or Unsupported\n         Preliminary Clearance or Adjudication Decisions\n         equivalent of a judgment, including a plea of nolo contendere, probation before\n         judgment, or deferred prosecution.19 The PSSP team agreed that since the applicant was\n         on probation, the applicant should not have been preliminarily cleared and a Letter of\n         Inquiry should have inquired about both the simple assault arrest and the second degree\n         assault charge. The applicant no longer works under contract for the FDIC.\n\n     \xef\x82\xb7   PSSP began a review in 2010 and did not complete adjudication for 2 years. Preliminary\n         clearance and adjudication processes identified financial issues. The Legal Division\n         approved the applicant through preliminary clearance even though the applicant had a\n         history of financial difficulties, and also noted the applicant would be potentially filing\n         for bankruptcy. After preliminary clearance, the applicant filed for Chapter 7 bankruptcy\n         for an amount exceeding the FDIC\xe2\x80\x99s statutory limit for debts owed to insured depository\n         institutions. In light of these circumstances, we questioned the favorable preliminary\n         clearance.\n\nUnsupported Decisions. Our testing also identified four cases where files did not include\nsufficient support for reciprocity, preliminary clearance, or adjudication decisions.\n\n     \xef\x82\xb7   PSSP used reciprocity to clear an applicant in 2013; however, FDIC Circular 1610.2\n         requires previous approval must have been granted within the last 24 months and there\n         must have been no break in employment in excess of 59 days. The applicant\xe2\x80\x99s file did\n         not document that the prior clearance met that criteria. The PSSP team advised us that\n         they do not consider the 24-month requirement when evaluating a candidate for\n         reciprocity, which is contrary to FDIC Circular 1610.2.\n\n     \xef\x82\xb7   A 2011 applicant\xe2\x80\x99s file was missing fingerprint results, the Preliminary Background\n         Investigation Checklist, and the Summary Sheet, so there was not enough information in\n         the file to draw a favorable preliminary clearance conclusion.\n\n     \xef\x82\xb7   In 2011, PSSP requested a prior OPM review for an applicant but did not rely upon it for\n         reciprocity. Therefore, the FDIC should have conducted its own adjudication; however,\n         the PSSP team acknowledged adjudication was not performed, likely due to an oversight.\n         No adjudication based on reciprocity information was entered into CHRIS. Therefore,\n         based on our review, the adjudication decision was not present or unsupported.\n\n     \xef\x82\xb7   The file for an applicant contained no support for the late 2012 preliminary clearance or\n         early 2013 adjudication determinations. The PSSP team indicated that the file was\n         incomplete but was unable to locate additional support. Therefore, the preliminary\n         clearance and adjudication was unsupported.\n\n19\n  See 8 U.S.C. \xc2\xa7\xc2\xa7 1101; 42 U.S.C. 1320a-7; 5 C.F.R. \xc2\xa7 919.925; 29 C.F.R. \xc2\xa7 98.925; 29 C.F.R. \xc2\xa7 1471.925;\n41 C.F.R. \xc2\xa7 105-68.925; and 48 C.F.R. 1409.403.\n\n\n\n                                                      32\n\x0c                                                                                           Appendix 4\n\n                                          Glossary\n       Term                                               Definition\nAdjudication           The process of making suitability determinations and taking suitability actions\n                       in cases involving positions subject to investigation.\n\nBackground             A background investigation (BI) seeks information about an applicant\'s\nInvestigation          employment, criminal, and personal history in an effort to investigate\n                       behavioral reliability, integrity, and personal adjustment. Background\n                       evaluations are conducted to determine whether there are any historical facts\n                       that would interfere with an applicant\'s ability to perform the job, including\n                       violations of statutes, regulations, or laws.\n\nBankruptcy             Legal procedure for liquidating a business that cannot fully pay its debts out of\n                       its current assets, or property owned by an individual who cannot fully pay his\n                       or her debts out of its current assets. Bankruptcy can be brought upon itself by\n                       an insolvent debtor (called \xe2\x80\x9cvoluntary bankruptcy\xe2\x80\x9d) or it can be forced on court\n                       orders issued on creditors\' petition (called \xe2\x80\x9cinvoluntary bankruptcy\xe2\x80\x9d). Two\n                       major objectives of a bankruptcy are to provide: (1) fair settlement of the legal\n                       claims of the creditors through an equitable distribution of the debtor\'s assets,\n                       and (2) the debtor an opportunity for a fresh start. Bankruptcy amounts to a\n                       business-failure, but voluntary winding up does not.\n\nCentral Verification   CVS, which OPM maintains, is the key system supporting government-wide\nSystem (CVS)           reciprocity of security clearance and suitability vetting determinations for\n                       federal employment, fitness for contractor employees, and eligibility for access\n                       to classified information.\n\nCertification Date     Date on which the Application for Public Trust Position was signed and\n                       submitted.\n\nDerogatory             Any information with a potentially negative impact on an applicant\xe2\x80\x99s\nInformation            assessment for suitability. Typical examples include fraud, trust, patterns of\n                       financial difficulty, and felonies.\n\nFelony                 In general, felonies are descriptive of serious crimes, both violent or non-\n                       violent in nature, which result in a punishment of fines, and in nearly all cases,\n                       a prison sentence of at least one year.\n\nIntelligence Reform    IRTPA, which is Public Law 108-458, addresses many different facets of\nand Terrorism          information gathering and the intelligence community. IRTPA\xe2\x80\x99s eight titles\nPrevention Act of      reflect its broad scope.\n2004 (IRTPA)\n\nLetter of Inquiry      An inquiry sent on behalf of the FDIC to obtain additional information from an\n                       applicant related to the individual\xe2\x80\x99s background investigation.\n\n\n\n\n                                                 33\n\x0c                                                                                        Appendix 4\n\n                                       Glossary\n         Term                                         Definition\nMinimum Standards   Outlined in 12 C.F.R. Part 336, Minimum Standards of Fitness for Employment\nof Fitness          with the Federal Deposit Insurance Corporation prohibits any person from\n                    becoming employed or providing service to, or on behalf of, the FDIC who has:\n\n                        \xef\x82\xb7   been convicted of any felony;\n                        \xef\x82\xb7   been removed from or prohibited from participating in the affairs of\n                            any insured depository institution pursuant to any final enforcement\n                            action by any appropriate federal banking agency;\n                        \xef\x82\xb7   demonstrated a pattern or practice of defalcation regarding obligations\n                            to insured depository institutions; or\n                        \xef\x82\xb7   caused a substantial loss, in an amount in excess of $50,000, to federal\n                            deposit insurance funds.\n\nNational Security   Positions that involve activities of the government that are concerned with the\nPosition            protection of the nation from foreign aggression or espionage and that require\n                    regular use of, or access to, Classified National Security Information. See\n                    FDIC Circular 1600.3 for further information on these types of positions.\n\nNon-Statistical     All samples that do not have all the characteristics of statistical sampling,\nSample              which involve random sample selection and use of probability theory to\n                    evaluate sample results. The results of non-statistical samples cannot be\n                    projected to the intended population by standard statistical methods.\n\nNovation Contract   Substitution of an original party to a contract with a new party, or substitution\n                    of an original contract with a new contract. Upon substitution, the obligations\n                    of the withdrawing-party are automatically discharged and no express-release is\n                    required. To be effective, however, the substitution must be agreed-to by all\n                    the original and new parties to the contract. Novation is never presumed; if the\n                    novation agreement is not in writing, it must be established from the acts and\n                    conduct of the parties. Novation is not the same as assignment of an agreement\n                    where no new agreement is needed and the rights and duties are transferred\n                    from the assignor to the assignee.\n\nPerformance-Based   An acquisition structured around the results to be achieved, as opposed to the\nAcquisition (PBA)   manner in which the work is to be performed. PBA methods give prospective\n                    contractors an opportunity to propose: (1) services and solutions that achieve\n                    the overall objective and (2) the methods for evaluating the progress of the\n                    work and the end product/results/deliverables.\n\nPerformance-Based   A documented, systematic approach to acquisition management. Like\nManagement (PBM)    traditional project management, PBM involves planning and defining (Planning\n                    Phase), implementing and assessing (Measure and Monitor Phase), and\n                    changing (Evaluate and Adjust Phase). These disciplines are not sequential but\n                    come into play throughout the pre-award and post-award phases of the\n                    acquisition cycle. Unlike traditional project management, PBM applies these\n                    disciplines in a holistic way to facilitate project success.\n\n\n\n\n                                              34\n\x0c                                                                                            Appendix 4\n\n                                            Glossary\n        Term                                                 Definition\nPersonnel                Worksheet completed prior to the adjudication determination to document all\nInvestigation            relevant factors of the investigation. Used as support for the final adjudication\nSummary                  determination and FDIC approval.\n\nPersonnel Security       FDIC program to ensure that the Corporation employs and retains in\nand Suitability          employment only those persons who meet all Federal requirements for\nProgram (PSSP)           suitability (i.e., character, reputation, honesty, integrity, trustworthiness) and\n                         whose employment or conduct would not jeopardize the accomplishment of the\n                         Corporation\xe2\x80\x99s duties or responsibilities.\n\nPolicies and             A set of principles, rules, and guidelines formulated or adopted by an\nProcedures Manual        organization to reach its long-term goals and typically published in a booklet or\n                         other form that is widely accessible. Policies and procedures are designed to\n                         influence and determine all major decisions and actions, and all activities take\n                         place within the boundaries set by them. Procedures are the specific methods\n                         employed to express policies in action in day-to-day operations of the\n                         organization. Together, policies and procedures ensure that a point of view\n                         held by the governing body of an organization is translated into steps that result\n                         in an outcome compatible with that view.\n\nPosition Designation OPM developed the Position Designation System to guide agencies in\nSystem               determining the proper level of investigation and screening required based on\n                     an assessment of risk and national security sensitivity. Position designation is\n                     established by 5 C.F.R. 731.106, section 3 of E.O. 10450, as amended, and 5\n                     C.F.R. 732.201.\nPreliminary          Worksheet completed prior to the preliminary clearance determination to\nBackground Checklist document all relevant factors of the investigation used as support for final\n                     preliminary clearance determination and approval.\n\nPreliminary              A preliminary assessment performed by the PSSP team to ensure applicants\nClearance                meet minimum integrity and fitness standards as set forth by the FDIC. These\n                         may include checks of Federal Bureau of Investigation (FBI) fingerprint\n                         criminal records, review of personnel security questionnaires, credit reports\n                         provided by the three major credit reporting agencies, and other internal FDIC\n                         resources.\n\nProbation Before         Probation before judgment is a term used in some states for a deferred\nJudgment                 adjudication, used by some states in sentencing certain first offenders. Laws\n                         governing probation before judgment are governed by state laws, which vary\n                         by state. The term and conditions of the probationary period are at the\n                         discretion of the judge. In some states, if the term of probation is successfully\n                         completed and there are no further violations, a sentence of not guilty will be\n                         imposed. Whether a probation before judgment counts as a conviction or is\n                         eligible for expungement varies by jurisdiction. However, for a number of\n                         federal statutes and regulations, probation before judgment is included in the\n                         meaning of the term \xe2\x80\x9cconviction.\xe2\x80\x9d\n\n\n\n\n                                                   35\n\x0c                                                                                            Appendix 4\n\n                                           Glossary\n       Term                                                Definition\nReciprocity             This is a process in which the applicant is granted full clearance if he or she has\n                        already been the subject of a favorable investigation by another agency and that\n                        such investigation was within acceptable timing and risk parameters.\n\nSensitive Information   Privileged or proprietary information which, if compromised through alteration,\n                        corruption, loss, misuse, or unauthorized disclosure, could cause serious harm\n                        to the organization owning it. Also called sensitive asset.\n\nSummary Sheet           Worksheet attached to all paper files that outlines investigation milestones and\n                        signoffs.\n\n\n\n\n                                                  36\n\x0c                                                                                  Appendix 5\n\n                        Acronyms and Abbreviations\n Acronym/Abbreviation                                    Explanation\n79A                      Report of Agency Adjudicative Action on OPM Personnel Investigations\nANACI                    Access National Agency Check and Inquiries\nAPM                      Acquisition Policy Manual\nBDI                      Update of Previous BI Completed\nBI                       Background Investigation\nBIRT                     Background Investigation Review Tracking\nC.F.R.                   Code of Federal Regulations\nCHRIS                    Corporate Human Resources Information System\nCO                       Contracting Officer\nCSB                      Corporate Services Branch\nCVS                      Central Verification System\nDOA                      Division of Administration\nDRR                      Division of Resolutions and Receiverships\nE.O.                     Executive Order\ne-QIP                    Electronic Questionnaires for Investigation Processing\nFDIC                     Federal Deposit Insurance Corporation\nIRTPA                    Intelligence Reform and Terrorism Prevention Action\nLBI                      Limited Background Investigation\nLDI                      Update of Previous LBI Completed\nMBI                      Moderate Background Investigation\nMSB                      Management Services Branch\nNAC                      National Agency Check\nNACI                     National Agency Check and Inquiries\nNACIC                    National Agency and Inquiries with Credit Check\nNACLC                    National Agency Check with Law and Credit\nOIG                      Office of Inspector General\nOM                       Oversight Manager\nOPM                      Office of Personnel Management\nOPM-FIS                  Office of Personnel Management Federal Investigative Services\nPBA                      Performance-Based Acquisition\nPBM                      Performance-Based Management\nPII                      Personally Identifiable Information\nPRI                      Periodic Reinvestigation\nPRIR                     Periodic Reinvestigation and Residence Coverage\nPSA                      Personnel Security Action\nPSSP                     Personnel Security and Suitability Program\nPSSP Team                SEPS employees and PSSP support contractor staff\nRSI                      Reimbursable Security/Suitability Investigation\nSAC                      Special Agreement Check\nSEPS                     Security and Emergency Preparedness Section\nSGI36                    Upgrade to SSBI from BI completed: 0 to 36 Months\nSGI60                    Upgrade to SSBI from BI completed: 37 to 60 Months\nSOW                      Statement of Work\nSSBI                     Single Scope Background Investigation\nSSBI-PR                  Single Scope Background Investigation Periodic Reinvestigation\nTM                       Technical Monitor\nU.S.C.                   United States Code\n\n                                             37\n\x0c                       Appendix 6\n\nCorporation Comments\n\n\n\n\n         38\n\x0c                       Appendix 6\n\nCorporation Comments\n\n\n\n\n         39\n\x0c                       Appendix 6\n\nCorporation Comments\n\n\n\n\n         40\n\x0c                       Appendix 6\n\nCorporation Comments\n\n\n\n\n         41\n\x0c                       Appendix 6\n\nCorporation Comments\n\n\n\n\n         42\n\x0c                       Appendix 6\n\nCorporation Comments\n\n\n\n\n         43\n\x0c                       Appendix 6\n\nCorporation Comments\n\n\n\n\n         44\n\x0c                       Appendix 6\n\nCorporation Comments\n\n\n\n\n         45\n\x0c                                                                                            Appendix 7\n\n       Summary of the Corporation\xe2\x80\x99s Corrective Actions\n\nThis table presents corrective actions taken or planned by the Corporation in response to the\nrecommendations in the report and the status of the recommendations as of the date of report\nissuance.\n\n                                                            Expected\n Rec.                                                                   Monetary   Resolved:a   Open or\n          Corrective Action: Taken or Planned              Completion\nNumber                                                                  Benefits   Yes or No    Closedb\n                                                              Date\n   1      SEPS will include the appropriate                12/31/2014      $0         Yes        Open\n          clarification and will outline associated\n          procedures in Standard Operating\n          Procedures for PSSP federal and\n          contractor employees.\n   2      Standard operating procedures for                12/31/2014      $0         Yes        Open\n          SEPS employees will be developed.\n   3      DOA\xe2\x80\x99s Management Services Branch                 6/30/2015       $0         Yes        Open\n          (MSB) will evaluate the issues raised in\n          the OIG\xe2\x80\x99s report and follow up on\n          corrective actions and SEPS\xe2\x80\x99 progress\n          as part of the Division\xe2\x80\x99s annual internal\n          review and risk management program.\n          The first MSB review will be\n          completed by the end of the 2nd quarter\n          2015.\n   4      The Contracting Officer and Oversight            12/31/2014      $0         Yes        Open\n          Manager will refine the existing SOW\n          to include a clear list of deliverables,\n          the key milestones in the background\n          investigations process based upon\n          updated PSSP policies and procedures,\n          and other requirements not clearly\n          defined to date. The Contracting\n          Officer will negotiate these changes\n          with the contractor and issue a\n          modification to incorporate the revised\n          SOW.\n\n\n\n\n                                                      46\n\x0c                                                                                          Appendix 7\n\n      Summary of the Corporation\xe2\x80\x99s Corrective Actions\n                                                          Expected\n Rec.                                                                 Monetary   Resolved:a   Open or\n         Corrective Action: Taken or Planned             Completion\nNumber                                                                Benefits   Yes or No    Closedb\n                                                            Date\n  5      Upon completion of the corrective               6/30/2015       $0         Yes        Open\n         action under recommendation 4, DOA\n         will be able to periodically assess and\n         document contractor performance\n         against the newly defined deliverables,\n         process milestones, and performance\n         criteria. In order to assess performance\n         on a more regular basis during the\n         initial year of the refined SOW, the CO\n         and OM will initiate interim quarterly\n         performance evaluations.\n  6      PERSEREC will include supervisory               12/31/2014      $0         Yes        Open\n         review controls to help ensure that all\n         required documents are included in\n         digitized case files. MSB may also\n         verify as part of periodic internal\n         reviews that sampled files are complete.\n         SEPS also noted that completion of the\n         PERSEREC records digitization project\n         will enhance documentation back-up\n         and system access controls.\n  7      SEPS reiterated existing physical               12/31/2014      $0         Yes        Open\n         security controls and implemented a\n         clean-desk policy. SEPS also noted that\n         completion of the records digitization\n         project will provide added protection to\n         sensitive records.\n  8      The PERSEREC solution that DIT                  6/27/2014       $0         Yes       Closed\n         delivered into production in June 2014\n         provides automated reports that will\n         allow DOA SEPS to retire the current\n         BIRT system as well as provide reports\n         necessary to manage the SEPS\n         background investigation program.\n         SEPS also coordinated with OPM to\n         obtain various reports important to\n         OPM case processing metrics.\n  9      DIT completed the \xe2\x80\x9cto be\xe2\x80\x9d background            6/27/2014       $0         Yes       Closed\n         investigation process for automation\n         and document storage associated with\n         the release of PERSEREC to\n         production.\n\n\n\n\n                                                    47\n\x0c                                                                                                      Appendix 7\n\n          Summary of the Corporation\xe2\x80\x99s Corrective Actions\n                                                               Expected\n Rec.                                                                        Monetary      Resolved:a      Open or\n              Corrective Action: Taken or Planned             Completion\nNumber                                                                       Benefits      Yes or No       Closedb\n                                                                 Date\n     10       SEPS provided a PERSEREC                        6/27/2014          $0             Yes         Closed\n              Requirements Specification document\n              and a more detailed PERSEREC\n              Documentum Design document that\n              addresses case processing work flow\n              controls. DIT released PERSEREC\n              into production in June 2014.\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned, ongoing, and completed\n                    corrective action is consistent with the recommendation.\n               (2) Management does not concur with the recommendation, but alternative action meets the\n                   Intent of the recommendation.\n               (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0)\n                   amount. Monetary benefits are considered resolved as long as management provides an\n                   amount.\nb\n Recommendations will be closed when (a) Corporate Management Control notifies the OIG that corrective actions\nare complete or (b) in the case of recommendations that the OIG determines to be particularly significant, when the\nOIG confirms that corrective actions have been completed and are responsive.\n\n\n\n\n                                                         48\n\x0c'